Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2017-02-22 10:42:19.0

SHA-1 Deprecation 2017: Background, Root Program Key Dates, Migration Guide

Article Number: 70592

User-added image

In 2013 Microsoft announced that it will no longer support the SSL/TLS certificates signed with the SHA-1 hashing algorithm as of 2017.  In addition Mozilla, Apple and Google announce that they would do the same for their browsers in support of Microsoft's decision.

Background 
Root Programs Key Dates 
SHA-2 Migration Guide 
Browser Workarounds
What to do

In short, the SHA-1 deprecation program required that Certification Authorities (CAs) stop signing with SHA-1 as of January 1, 2016. The effect of the deprecation program saw the number of SHA-1 signed certificates drop hugely, so that as of November 2016 only 2.5 percent of SSL/TLS certificates found online were using SHA-1.

Failure to migrate to SHA-2 in a timely manner will result in browsers not displaying content properly and end-users receiving security warnings. It is anticipated that all popular browser will show errors for SHA-1 signed SSL/TLS certificates in 2017:

BrowserWhen 
User-added image
Chrome
End of January 2017Google indicates Chrome 56 to be released at the end of January 2017 will remove trust for SHA-1 certificates from publicly trusted CAs. With Chrome 57, trust will be removed for SHA-1 certificates issued from private trust CAs. For private or local CAs, an enterprise can correct this error by implementing a change to enable SHA-1 for local anchors. 
User-added image
Firefox
January 24, 2017Mozilla announced that with release 51 January 24, 2017 Firefox will show an Untrusted Connection error if a SHA-1 certificate chains to a root in the Mozilla CA certificate program that users can override.
User-added image
IE and Edge
February 14, 2017Microsoft stated that on February 14, 2017 an update to Microsoft Edge and Internet Explorer 11 will be released to display an Invalid Certificate warning page alerting users that their connection is not secure. Although not recommended, browser users will have the option to continue to the website.
User-added image
Safari and Webkit
Spring 2017 Apple has announced that in Spring 2017 a security update to Apple operating systems will remove support for SHA-1 signed certificates for Safari and Webkit.

If you have yet to migrate to SHA-2, check out Entrust Datacard’s SHA-2 Migration Guide. It will help you plan and execute a successful SHA-2 migration to avoid extra costs, eliminate service disruptions and ensure compliance.

By summer of 2017 all popular browsers will indicate an error for the user of any website with a SHA-1 signed certificate. Note, however, there are some exceptions to be aware of in regards to internal certificates. For internal certificates, SHA-1 warnings can be ignored:

  • User-added imageChrome: Push out a policy for Chrome users called EnterpriseWebStoreName (deprecated).
  • User-added imageFirefox: Configure “security.pki.sha1_enforcement_level” to a value of “0” for about>config settings.
  • User-added imageIE and Edge: Certificates that are anchored to roots that are not listed in the root program will still be trusted.
What to do

If you are still using SHA-1 signed certificates, it's important to understand how you will be impacted by this change in protocol. Please contact our support team to discuss your unique case if one of the above workarounds will not work for you. Note that your ultimate aim should be to move to SHA-2 (a.k.a. SHA-256) signed certificates as soon as possible.

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance: 

Hours of Operation: 

Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
 

CountryNumber
Australia0011 - 800-3687-7863
1-800-767-513
Austria00 - 800-3687-7863
Belgium00 - 800-3687-7863
Denmark00 - 800-3687-7863
Finland990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet)
France00 - 800-3687-7863
Germany00 - 800-3687-7863
Hong Kong001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax)
Ireland00 - 800-3687-7863
Israel014 - 800-3687-7863
Italy00 - 800-3687-7863
Japan001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
Korea001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom)
Malaysia00 - 800-3687-7863
Netherlands00 - 800-3687-7863
New Zealand00 - 800-3687-7863
0800-4413101
Norway00 - 800-3687-7863
Singapore001 - 800-3687-7863
Spain00 - 800-3687-7863
Sweden00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2)
Switzerland00 - 800-3687-7863
Taiwan00 - 800-3687-7863
United Kingdom00 - 800-3687-7863
0800 121 6078
+44 (0) 118 953 3088

 

Affected Products:

  • Entrust Authority GSS-API Toolkit for C 5.01 English AIX
  • Entrust Authority GSS-API Toolkit for C 5.01 English HP-UX
  • Entrust Authority GSS-API Toolkit for C 5.01 English Solaris
  • Entrust Authority GSS-API Toolkit for C 5.01 English Windows
  • Entrust Authority GSS-API Toolkit for C 5.02 English AIX
  • Entrust Authority GSS-API Toolkit for C 5.02 English HP-UX
  • Entrust Authority GSS-API Toolkit for C 5.02 English Solaris
  • Entrust Authority GSS-API Toolkit for C 5.02 English Windows
  • Entrust Authority GSS-API Toolkit for C 5.1 English AIX
  • Entrust Authority GSS-API Toolkit for C 5.1 English HP-UX
  • Entrust Authority GSS-API Toolkit for C 5.1 English Solaris
  • Entrust Authority GSS-API Toolkit for C 5.1 English Windows
  • Entrust Authority GSS-API Toolkit for C 6.0 English AIX
  • Entrust Authority GSS-API Toolkit for C 6.0 English HP-UX
  • Entrust Authority GSS-API Toolkit for C 6.0 English Solaris
  • Entrust Authority GSS-API Toolkit for C 6.0 English Windows