By Meg Grady-Troia and Bill Brenner
As we move toward 2016, browser developers have moved to retire the SHA-1 cryptographic hash algorithm in favor of SHA-2. Browsers are beginning to show warnings or errors for HTTPS connections made to servers presenting certificate chains signed using SHA-1.
Companies like Google, Mozilla, Microsoft and the CAB/Browser Forum have released their own descriptions of how they're managing the process. This post describes the Akamai-compatible workflow to help you manage the change process for your properties easily, regardless of the signatory Certificate Authority (CA) on your certificate.
Customers with certificates provisioned on the Secure Content Delivery Network (SCDN) have the flexibility to select when and how to replace their current SHA-1 based certificate with a SHA-2 based certificate.
Akamai's new Certificate Provisioning System (CPS), designed to enable customer self service, is now in Beta. CPS streamlines and automates a significant portion of the certificate provisioning process and provides consistency and error checks tightly linked to your certificate order.
If your Certificate/signature is managed by Akamai (CPS only):
Contact your account team and ask to have your certificate reissued with a SHA-2 hash. Your account team will coordinate reissuing your certificate with a SHA-2 hash from your CA. This will not incur a charge from Akamai, and should not disrupt service for your end-users.
If your Certificate signature is managed through the third party CA process (CPS or older):
It is important that you do not request a new certificate from your CA without first requesting a CSR from Akamai. CPS requires a new CSR, generated by Akamai (with an Akamai-generated key pair), for each certificate. The consistency checks will prevent uploading and enrolling a new certificate against an existing CSR and key pair.
Ask your account team to generate a new CSR for you to send to your chosen CA. This will not incur a charge from Akamai, nor should your CA object to reissuing the certificate with the new CSR.
If you encounter difficulties using the Certificate signature update workflows:
If the above workflows are not possible for your current configuration, please reach out to your account team or Customer Care for additional support.
When should you switch from SHA-1 to SHA-2?
The decision to switch from SHA-1 to SHA-2 depends on how you use the Secure CDN. For most Akamai customers, whose end-users access Akamai-hosted web sites using standard web browsers, you should plan to switch the next time your certificate gets renewed. (Akamai-managed certificates renew annually, CPS or your account team can show you detail for each of your certificates.) For security-sensitive customers, you may wish to initiate a switch sooner; this can also be done through CPS or with your account team's assistance.
Some customers have end users who are dependent on the older SHA-1 algorithm: perhaps they are slow to upgrade their browsers, or perhaps they use a custom Web client that has not yet been upgraded for SHA-2. These customers might value compatibility over security; only the customer can make that choice.
Given the industry drive to remove support for SHA-1, we recommend that these customers immediately begin upgrading their browsers or custom clients - but Akamai will continue to support SHA-1 certificates on our network into 2016.