Replace a SHA-1 with a SHA-2 Certificate in Plesk

SHA-1 is a cryptographic hash function published in 1993. Since 2005 the security of SHA-1 has been questioned. In November 2013 Microsoft announced its deprecation policy on SHA-1 which states Windows will stop accepting SHA-1 certificates in SSL by 2017.
 
Important Dates
  • In November 2014, Chrome will begin displaying a yellow triangle warning.
  • In December 2014, Chrome will show a warning for certificates expiring after June 1, 2016.
  • In January 2015 Chrome will show a warning for certificates expiring at an time in 2016.
  • On January 1, 2016 Microsoft will end trust for SHA-1 code signing certificates without time stamps.
  • On January 1, 2017 Microsoft and Mozilla will end trust for all SHA-1 SSL certificates.
Test Your SSL Certificate
DigiCert's SHA-1 Sunset Tool is a tool that can be used to test whether you have a SHA-1 or SHA-2 (256) certificate.
Qualys SSL Labs also has an SSL report for a domain you test.
 
Update Your Certificate
To update your certificate, you will need to re-key it with your certificate authority. Before you can re-key your certificate, you must generate a new certificate signing request (CSR). 
  1. Log into your Control Panel.
  2. Select the domain or subscription of the website that needs to be re-keyed.
  3. If your website is on a Plesk 12 server click the Show More icon then click Secure Your Sites.
  4. If your website is on a Plesk 11 server click on the Websites & Domains tab > Secure Your Sites.
  5. If your website is on a Plesk 9.5 server click on SSL Certificates.

    SSL Certificate
     
  6. Click Add SSL Certificate to create a new certificate that will house your new SHA-2 (SHA-256) certificate.
  7. Name the certificate something other than your previous certificate's name.
  8. Include the country, state, city, domain name, and email address. We recommend not including the www in the domain name. Most certificate authorities key the certificate as written and with the www as a courtesy.
  9. Click Request.

    Add an SSL Cert
     
  10. Both certificates will be listed.


    2 certificates listed
     
  11. Click the name of the newly created certificate.
  12. Scroll down to the CSR section. 
  13. Copy the whole CSR including the -----BEGIN CERTIFICATE REQUEST----- all the way to the -----END CERTIFICATE REQUEST----- including the dashes to your clipboard.
  14. Go to your certificate authority's website, log in, and request a new certificate for your domain. Paste in the CSR and request the certificate. Certificate Authorities are now keying certificates in SHA-2 or greater formats.
  15. Once you receive confirmation that your certificate is ready, download it to your local computer.
  16. Log into your website's control panel and navigate to the SSL Certificates or Secure Your Websites icon and click it.
  17. Click on the SSL certificate you created earlier.
  18. Choose one of the two installation methods below. 
Install the Certificate from File
  1. Under Upload certificate files click Choose File next to Certificate and select the .crt file in the bundle sent to you.
  2. Under Upload certificate files click Choose File next to CA Certificate and select the .ca file sent to you. If you were not given a ca file, you can ignore this step.
  3. Click Send File.

    Upload Certificate as File or Text
     
Install the Certificate from Text
  1. Open the SSL in a text editor like Notepad
  2. If applicable, copy the section of text for CA part
  3. If applicable, under Upload certificate as text in the CA field paste the text you copied to clipboard.
  4. Open the SSL in a text editor like Notepad again
  5. Copy the section of text for Certificate
  6. Under Upload certificate as text in the Certificate field paste the text you copied to clipboard.
  7. Click Send Text.
 
Activate the certificate by forcing an updated to Plesk's cache
  1. Go to your Websites & Domains tab
  2. Expand (Show) Advanced Operations
  3. Select Website Scripting & Security
  4. Uncheck Enable SSL Support
  5. Select OK
  6. Return to Website Scripting & Security and check Enable SSL Support
  7. Select the appropriate certificate from the drop-down list
  8. Select OK
Test Your SSL Certificate
DigiCert's SHA-1 Sunset Tool is a tool that can be used to test whether you have a SHA-1 or SHA-2 (256) certificate.

Add Feedback