SHA-1 Deprecation 2017: Background, Root Program Key Dates, Migration Guide

Article Number: 000070634

User-added image
In 2013 Microsoft announced that it will no longer support the SSL/TLS certificates signed with the SHA-1 hashing algorithm as of 2017.  In addition Mozilla, Apple and Google announce that they would do the same for their browsers in support of Microsoft's decision.

Background 
Root Programs Key Dates 
SHA-2 Migration Guide 
Browser Workarounds
What to do

Background 

In short, the SHA-1 deprecation program required that Certification Authorities (CAs) stop signing with SHA-1 as of January 1, 2016. The effect of the deprecation program saw the number of SHA-1 signed certificates drop hugely, so that as of November 2016 only 2.5 percent of SSL/TLS certificates found online were using SHA-1.

Root Programs Key Dates

Failure to migrate to SHA?2 in a timely manner will result in browsers not displaying content properly and end-users receiving security warnings. It is anticipated that all popular browser will show errors for SHA-1 signed SSL/TLS certificates in 2017:

Browser When  
User-added image
Chrome
End of January 2017 Google indicates Chrome 56 to be released at the end of January 2017 will remove trust for SHA-1 certificates from publicly trusted CAs. With Chrome 57, trust will be removed for SHA-1 certificates issued from private trust CAs. For private or local CAs, an enterprise can correct this error by implementing a change to enable SHA-1 for local anchors. 
User-added image
Firefox
January 24, 2017 Mozilla announced that with release 51 January 24, 2017 Firefox will show an Untrusted Connection error if a SHA-1 certificate chains to a root in the Mozilla CA certificate program that users can override.
User-added image
IE and Edge
February 14, 2017 Microsoft stated that on February 14, 2017 an update to Microsoft Edge and Internet Explorer 11 will be released to display an Invalid Certificate warning page alerting users that their connection is not secure. Although not recommended, browser users will have the option to continue to the website.
User-added image
Safari and Webkit
Spring 2017 Apple has announced that in Spring 2017 a security update to Apple operating systems will remove support for SHA-1 signed certificates for Safari and Webkit.

Browser Workarounds

By summer of 2017 all popular browsers will indicate an error for the user of any website with a SHA-1 signed certificate. Note, however, there are some exceptions to be aware of in regards to internal certificates. For internal certificates, SHA-1 warnings can be ignored:

  • User-added imageChrome: Push out a policy for Chrome users called EnterpriseWebStoreName (deprecated).
  • User-added imageFirefox: Configure “security.pki.sha1_enforcement_level” to a value of “0” for about>config settings.
  • User-added imageIE and Edge: Certificates that are anchored to roots that are not listed in the root program will still be trusted.

What to do

If you are still using SHA-1 signed certificates, it's important to understand how you will be impacted by this change in protocol. Please contact our support team to discuss your unique case if one of the above workarounds will not work for you. Note that your ultimate aim should be to move to SHA-2 (a.k.a. SHA-256) signed certificates as soon as possible.

If you have any questions or concerns please contact the AffirmTrust department for further assistance: 

Support Hours of Operation: 
Sunday 8PM ET to Friday 8PM ET
[email protected]