SHA-256 SSL certificates

Written late in the morning in English • Tags: , , ,

The technical details of an SSL certificate are up to the issuing CA, which is understandable. I was still surprised when my SHA-256 CSR resulted in a SHA-1 certificate back in April, when reissuing it due to heartbleed. But I didn’t pursue it at the time.

Now that Google announced sunsetting SHA-1-signed certificates by the end of the year, the issue became more pressing. Fortunately instructions for reissuing GeoTrust-based certificates — such as the RapidSSLonline ones — were already available.

How to reissue a GeoTrust-based certificate

  • Generate a new CSR for your web domain name.
  • Login to the GeoTrust portal using your web domain name and the email address used to request the certificate.
  • Follow the login link sent by email.
  • Click on “Reissue Certificate” from the menu on the left.
    • Choose SHA-256 from the drop-down menu.
    • Copy the CSR onto the form.
    • Accept the terms.
    • Click on “Submit.”
  • Follow the approval link sent by email.
  • In a few minutes you should receive an email with new certificates.

Copy both certificates (one for your web domain name and another for the intermediate CA) from the email and install them on the web server.