Sunset for SHA1 certificates!

It´s time to look into migration from SHA1 as signing algorithm for your certificates. The obvious reason is security and SHA1 have been considered insecure for at least 10 years by now. And in late 2013 Microsoft announced their SHA1 deprecation policy.

(http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx)

What does this actually mean then?

Code-signing certificates won´t be accepted in Microsoft products after January 1 2016 unless it got a timestamp. Then it will be ok until 14 January 2020.

For SSL certificates, Microsoft products will stop accepting SHA1 end-entity certificates by 1 January 2017. And all SSL certificates valid after that date needs to be signed with a SHA2 algorithm.

Google (Chrome) and Mozilla (Firefox) is on this as well and info can be found here:

http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

Digicert have a really nice SHA2 compatibility list:

https://www.digicert.com/sha-2-compatibility.htm

What have to be done?

Publicly signed certificates are in most cases signed with SHA2, but check to make sure. If you have SHA1 signed SSL-certificates valid after January 1 2017 all vendors I know of will re-sign the cert with SHA2. Contact the issuer for help.

Internally signed certificates have to be re-issued as well. First you have to prepare the CA to use SHA2 and then you will need to start to replace your certificates.

Are you unsure of your certificates? Test your site here: https://www.ssllabs.com/ssltest/index.html

Any questions? Just let me know!