Carnegie Mellon University

Replacement of SHA-1 SSL Certificates Needed

DAY: Tuesday
DATE: October 21, 2014

WHOM DOES THIS AFFECT?

  • Anyone with active, public facing SSL certificates issued by the Carnegie Mellon Certificate Authority before September 8th, 2014.


SUMMARY:

The Carnegie Mellon Certificate Authority (CMU CA) recommends prioritizing replacement of SHA-1 SSL certificates (certs) with SHA-2 SSL certs for public facing web servers by early November 2014 to avoid negative user impact.  Starting in early November, Google Chrome will display security notices for sites using SHA-1 SSL certs causing negative user experience effects.  Other browser vendors will do the same by Q1 2015.

The CMU CA will be contacting active SHA-1 SSL cert holders and will offer a streamlined replacement process.  Affected cert holders will receive direct email with an attached Excel spreadsheet from a member of the Information Security Office (ISO) staff.  Additionally, new SSL certs issued for Internal Names will only be valid through October 2015.



TECHNICAL DETAILS:

Almost all SSL certificates (certs) issued by the Carnegie Mellon Certificate Authority (CMU CA) prior to September 8th, 2014 are SHA-1 SSL certs.

On September 5th, 2014, Google announced plans to accelerate the sunsetting timeline for SHA-1 SSL certs.  Starting in early November, Google Chrome will begin to display security notices for sites using SHA-1 SSL certs causing negative user experience effects.

While certificate authority (CA) vendors were planning to discontinue all SHA-1 certs by 2017, Google’s timeline is much more aggressive.  As a result, other browser and CA vendors have accelerated their plans.  Users will begin to see warnings on all major browsers in Q1 2015.

Additionally, all SSL cert requests that contain Internal Names in the Common Name or Subject Alternative Name will expire no later than October 31st, 2015.  Starting November 1st, 2014, new Internal Name cert requests will be signed with a sub one year duration.  Migration plans for these certs will be announced in the near future.  Internal Names are any domains in a private network that are not resolvable using the public Domain Name System (DNS) including RFC1918 IP addresses, any single server name containing no dots, and TLD's referenced in RFC2606:

  • .test
  • .example
  • .invalid
  • .localhost
  • .local
  • .lan
  • .priv
  • .localdomain

Google Chrome has already been displaying security warnings for Internal Name certs.  Consequently, these certs should not be used for public facing sites.

WHAT YOU NEED TO DO:

  • The Carnegie Mellon Certificate Authority (CMU CA) recommends prioritizing replacement of SHA-1 SSL certificates (certs) with SHA-2 SSL certs for public facing web servers by early November to avoid negative user impact.
  • The CMU CA will be contacting active SHA-1 SSL cert holders and will offer a streamlined replacement process.  Departments and individuals holding active certs will be sent a list of their certs.  Cert holders who do not need to change private keys may renew without submitting a new Certificate Signing Request (CSR).
  • All other services that use SHA-1 SSL certs (web services servers, mail servers, LDAPS, etc...) should be replaced over the coming year as more software begins to deprecate them.
  • During the replacement process you may opt to remove Internal Names from your SSL certs.  Internal Names will not be allowed for certs after October 31st, 2015.

MORE INFORMATION:

SHA1:
http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
https://www.comodo.com/e-commerce/SHA-2-transition.php

Internal Names:
https://support.comodo.com/index.php?/Knowledgebase/Article/View/722/0/acceptable-internal-domain-names


CONTACT:

Please direct any questions or comments to the Carnegie Mellon Certificate Authority (certificate-authority@andrew.cmu.edu)