A data security specialist by Swiss Post

Main section


Unsecure SHA-1 certificates

Since 2005 it is known that the SHA-1 algorithm can be compromised by complex methods and high computing power. As a result, the SHA-1 algorithm was classified as not safe in the future and we implemented quickly the SHA-2 algorithm in our certificates.
In 2014, methods have become known which make it possible to compromise the SHA-1 algorithm even more quickly, which has further increased the urgency for replacement. Thus, all modern browsers and operating systems no longer support SHA-1 SSL / TLS certificates since the beginning of the year.
Based on these new methods, it was possible to produce two different documents with the same SHA-1 hash at the end of February. It is now also practically shown that the use of the SHA-1 algorithm represents a concrete risk and the use should be avoided. Therefore, we recommend to exchange still existing SHA-1 certificates with the new generation of SHA-2 certificates.

Customers of our managed PKI can simply revoke these certificates and have new certificates issued by the managed PKI. SHA-1 certificates can be also recognized by the fact that the issuing CA (Issuing CA) shows the abbreviation "G2" instead of "G22". For the recipients of the individual certificates in the web shop, we started an exchange program 2 years ago. If you have not already made use of this, please contact our help desk.

If access certificates to our managed PKI still contain SHA-1, we will exchange these proactively and inform you in advance about the exchange.