SHA-1 certificates have been identified as vulnerable for some time and most browsers have stipulated that these certificates won’t be rejected until January 1, 2017. However, based on recent research, there is a significant increase of risk in using SHA-1 certificates and it is strongly recommended to replace them with SHA-2 certificates as soon as possible.
UBC IT has contacted site owners who have SHA-1 certificates purchased through UBC IT about this advisory.
Recommendation:
- If you have been delaying your X.509 certificate reissue, please complete the task now.
- To generate a Certificate Signing Request (CSR), please follow this guide: https://confluence.id.ubc.ca:8443/display/ITSecurity/how+to+obtain%2C+deploy+and+verify+an+X.509+certificate
- If you have existing SHA-1 certificates with a CA, please submit your CSR to your CA to have the certificates reissued as SHA-2
Links
http://arstechnica.co.uk/security/2015/10/sha1-crypto-algorithm-securing-internet-could-break-by-years-end/
https://sites.google.com/site/itstheshappening/
Questions
Please contact security@ubc.ca if you have any questions.