SSL certificate migration to SHA-2


What do I do to migrate my cert to SHA-2?

First of all – this is only relevant and important for activated certificates. If your certificate is signed with the SHA-1 algorithm, we strongly recommend updating it to SHA-2. To update an SHA-1 signed certificate (Comodo (now Sectigo) certificates issued before May 7, 2014) to SHA-2 algorithm, all you need to do is perform a reissue under your account. To check which hashing algorithm your certificate has, you can use this tool.


One of the most important parts of an SSL Certificate’s security is the signature algorithm. For the last several years, SHA-1 (Secure Hash Algorithm) has been the most widely used algorithm. Back in 2004, SHA-1 stepped in to replace MD5, which has been found to be vulnerable and insecure. Security services are improving along with other technologies, and now it’s time for another change.

Even though the SHA-1 algorithm is still widely used, two of the biggest players in the web community – Microsoft and Google – have decided it’s time to change the SHA-1 algorithm, just as you would replace an old tire before it actually breaks up on the road. The next step forward is the SHA-2 algorithm.

Starting November 6, 2014, all certificates obtained from are signed with SHA-2 algorithm by default.

Certificates signed with SHA-1 will still be in use until December 31, 2015, though they might show an informative notification in Google Chrome browser (after version 39) and some other modern browsers.

CA Bundles:

As both public certs and intermediate certs were updated to the SHA-2 algorithm, the Certificate Authorities have created new chain files to be used with the updated certificates. These files include intermediate certificates signed with the SHA-2 algorithm. To make sure you have an up-to-date chain file, for your certificate not to throw any warnings, check out our CA Bundle archive.