SHA-1 Deprecation 2017: Background, Root Program Key Dates, Migration Guide
Article Number: 000070634
In 2013 Microsoft announced that it will no longer support the SSL/TLS certificates signed with the SHA-1 hashing algorithm as of 2017. In addition Mozilla, Apple and Google announce that they would do the same for their browsers in support of Microsoft's decision.
Root Programs Key Dates
SHA-2 Migration Guide
What to do
In short, the SHA-1 deprecation program required that Certification Authorities (CAs) stop signing with SHA-1 as of January 1, 2016. The effect of the deprecation program saw the number of SHA-1 signed certificates drop hugely, so that as of November 2016 only 2.5 percent of SSL/TLS certificates found online were using SHA-1.
Failure to migrate to SHA?2 in a timely manner will result in browsers not displaying content properly and end-users receiving security warnings. It is anticipated that all popular browser will show errors for SHA-1 signed SSL/TLS certificates in 2017:
|End of January 2017||Google indicates Chrome 56 to be released at the end of January 2017 will remove trust for SHA-1 certificates from publicly trusted CAs. With Chrome 57, trust will be removed for SHA-1 certificates issued from private trust CAs. For private or local CAs, an enterprise can correct this error by implementing a change to enable SHA-1 for local anchors.|
|January 24, 2017||Mozilla announced that with release 51 January 24, 2017 Firefox will show an Untrusted Connection error if a SHA-1 certificate chains to a root in the Mozilla CA certificate program that users can override.|
IE and Edge
|February 14, 2017||Microsoft stated that on February 14, 2017 an update to Microsoft Edge and Internet Explorer 11 will be released to display an Invalid Certificate warning page alerting users that their connection is not secure. Although not recommended, browser users will have the option to continue to the website.|
Safari and Webkit
|Spring 2017||Apple has announced that in Spring 2017 a security update to Apple operating systems will remove support for SHA-1 signed certificates for Safari and Webkit.|
By summer of 2017 all popular browsers will indicate an error for the user of any website with a SHA-1 signed certificate. Note, however, there are some exceptions to be aware of in regards to internal certificates. For internal certificates, SHA-1 warnings can be ignored:
- Chrome: Push out a policy for Chrome users called EnterpriseWebStoreName (deprecated).
- Firefox: Configure “security.pki.sha1_enforcement_level” to a value of “0” for about>config settings.
- IE and Edge: Certificates that are anchored to roots that are not listed in the root program will still be trusted.
What to do
If you are still using SHA-1 signed certificates, it's important to understand how you will be impacted by this change in protocol. Please contact our support team to discuss your unique case if one of the above workarounds will not work for you. Note that your ultimate aim should be to move to SHA-2 (a.k.a. SHA-256) signed certificates as soon as possible.
If you have any questions or concerns please contact the AffirmTrust department for further assistance:
Support Hours of Operation:
Sunday 8PM ET to Friday 8PM ET