Are SHA-2 certificates considered obsolete, or current?

"SHA-2" is the traditional codename for a family of six functions that includes SHA-256 and SHA-512. These functions are considered completely fine and current and non-obsolete.

There is a newer family of functions called SHA-3, but it has been formally defined only very recently, and nobody really supports them yet. Moreover, SHA-3 is not formally defined as a replacement for SHA-2, but as an alternative.

All the current fuss is about an older function called "SHA-1", not "SHA-2" (and most of the panic is greatly exaggerated).


SHA-2 is currently good. It is SHA-1 that is deprecated:

Due to the insecure nature of the SHA1 algorithm, it is good practice to replace SHA1 certificates with SHA2 certificates as soon as possible. (Check SHA2 compatibility first). But for practical reasons, the process will generally need to be staggered to occur within the critical dates promoted by Microsoft and other vendors.
Your plan should replace SHA1 SSL certificates in the following order:

  • certificates with an expiry date of 1 January 2017 or later.
  • certificates with an expiry date between 1 June 2016 and 31 December 2016, inclusive.
  • certificates with an expiry date before 1 June 2016.

No expiry date has been determined for SHA-2.