Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2016-07-05 16:01:39.0

Microsoft SHA2 Policy

Article Number: 46364

 

Description:

 

Microsoft has announced a new policy for Certificate Authorities (CAs) that deprecates the use of the SHA1 algorithm in SSL and code signing certificates, in favor of SHA2. The policy affects CAs who are members of the Windows Root Certificate Program who issue publicly trusted certificates.  It will allow CAs to continue to issue SSL and code signing certificates until January 1 2016, and thereafter issue SHA2 certificates only

 

Windows PKI blog, "SHA1 Deprecation Policy". http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx, December 12/17/2013

 

Key Dates:

  • 1 Jan 2016 – CAs must stop issuing SHA1 certificates
  • 1 Jan 2017 – Windows will stop accepting SHA1 SSL certificates
  • 1 Jan 2016 – Windows will stop accepting SHA1 code signing certificates without time stamps

 

Details:

For SSL certificates, Windows will stop accepting SHA-1 end-entity certificates by January 1, 2017. This means for Windows, a three-year SHA-1 certificate issued after January 1, 2014 won’t work after that date. Same for a two-year SHA-1 certificate issued after January 1, 2015, and a one-year SHA-1 certificate issued after January 1, 2016. It’s time to plan ahead when ordering or renewing your certificates.

 

For code signing certificates, Windows will stop accepting SHA-1 code signing certificates without time stamps after January 1, 2016.

 

Internet Explorer and  new versions of Mac OSX, Firefox, Chrome, Opera, Safari, Java and Adobe Acrobat/Reader all support SHA-2

 

Some enterprises might be running a non-browser application that does not support SHA-2. If you are unaware, you need to do some investigation or testing to see if your system supports SHA-2 and consider your migration plan.

 

 

Resources:

 - http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

 

Windows Server 2003 and XP SHA-2 Update: http://support.microsoft.com/kb/968730

 

Supported Browsers:

Internet Explorer 7+ with Windows XP SP3+

Safari with Mac OS X 10.5+

Firefox 1.5+

Netscape 7.1+

Mozilla 1.4+

Opera 9.0+

Konqueror 3.5.6+

Mozilla based browsers sine 3.8+

OpenSSL 0.9.8o+

Java 1.4.2+ based products

TN8766

Affected Products:

  • Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable