What is the difference between SHA256 and SHA-256-FULL-CHAIN?

During a SSL/TLS certificate order you may see the option to select SHA256 or SHA256-FULL-CHAIN for the hashing algorithm.

This will issue a certificate signed using SHA256 and chained to a SHA256 intermediate. The Intermediate will then chain to a SHA1 root certificate. Having a SHA1 root certificate has no impact on the security of the certificate. This is because root certificates are used for identity purposes and not for encryption.

We recommend selecting this option for maximum compatibility with client devices.

This will issue a certificate where all certificates in the chain, including the root, use a SHA-256 hashing algorithm. Eventually overtime all certificates will migrate to a SHA-256 root certificate. Anyone inspecting your certificate will see that it is a full SHA256 chain.

The SHA256 root certificate is present in all recent browsers. However users of older browsers may not be able to access websites using SHA256-FULL-CHAIN

Related Articles