SHA1 to SHA2 migration

We’ve gotten a few complaints from users that the latest release of Chrome has already started carping about our SHA1-signed certificates, so we’d like to get SHA2 versions out to at least our most public and heavily-traversed web sites. What’s the most efficient way to get new versions of our certs? Referring to the Certificate Manager console, would “renew” or “replace” be appropriate? Or should we issue entirely new certs and revoke the old ones?

Many thanks for your (collective) time, and apologies if I’ve missed an FAQ that covers this.

“Replace” on the interface is pretty much the same as “revoke and issue new”.

“Renew” will only allow you to buy a new cert with an updated expiry date.

If you need to change the cipher, you have to actually log a ticket and request it. Live chat tends to be more responsive than email imo. Just give them your existing order number and ask for help replacing it with a SHA2 order.

I guess that’s my question – if I renew an existing cert, would the new cert be signed with SHA2? We’ve got a fair number of these things that need to be signed with SHA2, and creating a ticket for each one is going to take forever. Also, we’ve got a deal through InCommon so we’re not paying for the certs individually; if renewing a cert will get me an SHA2 cert quickly, that would be great – we’re not spending additional money to do it.

Though, if a live chat would work, that would be fine. Er, I’m not seeing a link to start one on the Certificate Manager page – where could I find one?

Many thanks for your assistance, by the way. It’s appreciated.

If you renew an existing cert, what you will get will be the same as the existing certificate (in other words, no).