Moving targets

Amongst other things my team issues SSL certificates to the University. Whilst much of the process is automated, there is a call and response routine we need to follow with our certificate provider that has to be dealt with by hand. Earlier this year the Heartbleed vulnerability caused us to work like demons to replace all impacted SSL certificates. At the time we were grateful that only some of the certificates we had issued were impacted.

Back in September my colleague Jon, who masterminds the technical side of this service, told us that SHA-1 certificates were to be deprecated on a rather aggressive time scale by Chrome with other browser producers falling in line with them in due course. So we sat down and worked out how we were going to handle this for the ~300 certificates we had issued that were impacted. our cert issuing authority was helpful, and after a few conversations they agreed to issue free of charge replacement SHA-2 certificates.