Sunset for SHA1 certificates!

It´s time to look into migration from SHA1 as signing algorithm for your certificates. The obvious reason is security and SHA1 have been considered insecure for at least 10 years by now. And in late 2013 Microsoft announced their SHA1 deprecation policy.

(http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx)

What does this actually mean then?

Code-signing certificates won´t be accepted in Microsoft products after January 1 2016 unless it got a timestamp. Then it will be ok until 14 January 2020.

For SSL certificates, Microsoft products will stop accepting SHA1 end-entity certificates by 1 January 2017. And all SSL certificates valid after that date needs to be signed with a SHA2 algorithm.

Google (Chrome) and Mozilla (Firefox) is on this as well and info can be found here:

http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

Digicert have a really nice SHA2 compatibility list:

https://www.digicert.com/sha-2-compatibility.htm

What have to be done?

Publicly signed certificates are in most cases signed with SHA2, but check to make sure. If you have SHA1 signed SSL-certificates valid after January 1 2017 all vendors I know of will re-sign the cert with SHA2. Contact the issuer for help.

Internally signed certificates have to be re-issued as well. First you have to prepare the CA to use SHA2 and then you will need to start to replace your certificates.

Are you unsure of your certificates? Test your site here: https://www.ssllabs.com/ssltest/index.html

ssl-labs_fb

 

Any questions? Just let me know!

 

3 thoughts on “Sunset for SHA1 certificates!”

  1. It’s my understanding that certificates that chain up to an internal CA are not affected by Microsofts SHA1 deprecation policy, only certificates issued by those CAs that are in the Microsoft Root Certificate Program.
    Also, the Root CA itself does not have to be upgraded, since it is verified using other methods.
    Still need to get rid of SHA1 though 🙂

    1. Hi Tom!
      You are correct, that´s the info in MS deprecation policy. But the browsers from other vendors, like Chrome and Firefox, won´t like the certificates from your internal PKI if it´s SHA1. So SHA2 it is! 🙂
      But a good point!

Leave a Reply to Ola Johansson Cancel reply

Your email address will not be published. Required fields are marked *