1. Home
  2. SSL Certificate Support
  3. What is the Difference Between SHA-2 and SHA-2-Full-Chain

What is the Difference Between SHA-2 and SHA-2-Full-Chain

While you’re generating your SSL/TLS Certificate you may see an option to select a from 2 different hashing algorithms. You’re given a choice between SHA-2 and FULL SHA-2. SHA-2 is also sometimes referred to as SHA-256. But what’s the difference, and which one should you select?

What are Hashing Algorithms?

SHA stands for Secure Hashing Algorithm. In the world of SSL Hashing Algorithms, also called Hash Functions, are mathematical functions that condense data to a fixed size. These Hashing Algorithms are basically the language used to build the encryption of your SSL Certificate. There are many of these language, and some have been improved upon and phased out over the years. SHA 1 used to be industry standard, but has now been phased out and SHA 2 is used instead. SHA 2 is now recognized by most environments and devices, and only antiquated, older systems will recognize SHA 1.

What is SHA-2?

Choosing SHA-2 will issue a certificate using SHA-256 that comes chained to a SHA-256 intermediate. The intermediate will then chain back to a SHA-1 root. While SHA-1 is now outmoded for public facing certificates, having a SHA-1 root has no negative impact on security. That is due to the fact that root certificates are used for identity purposes—not encryption.

For maximum compatibility with client devices we recommend selecting this option.


What is FULL SHA-2?

Selecting FULL SHA-2 will issue a certificate that chains to both an intermediate and a root that also use SHA-256 hashing algorithm. Over the next several years all certificates will migrate to SHA-2 root certificates. In the meantime, anyone expecting your certificate will see that it is a full SHA-256 chain.

While SHA-256 root certificates are present in all current browsers, some of users on older browsers may not be able to access sites with FULL-SHA-2.


If you have any questions, or need help with any part of the generation process, you can reach out to our support team 24/7/365.

Updated on

Was this article helpful?

Related Articles