StartSSL SHA256 Certs

This is mostly a FYI (and for myself to remember) post.

If you use StartSSL to provide your certs (the free certs, class1), you may want (at least eventually) to update your StartSSL intermediate certs from the sha1 certs to the sha256 certs.

The sha1 certs are at:

The sha256 certs are at:

And then use these sha256 certs as you would with the sha1 certs.

On the next round of cert updating that I do for my domains, I have created a new csr with the -sha256 flag so that when I request new certs, they will be sha256. The command I used to generate the new key and csr:

openssl req -sha256 -new -newkey rsa:4096 -nodes -keyout <name>.key -out <name>.csr

I set up a testing page for my SSLLabs testing.
Aside from the OSCP errors due to putting the new certs in today (2014.11.17), everything is looking good. Gotta check the SSLLabs page again tomorrow and see how things look after the OSCP errors are gone.


EDIT: This post is also a good read concerning the topic.

Have a response to this post? Please use this link.