locked
SHA1 Deprecation - Error messages received on IE post Jan 2017 RRS feed

  • Question

  • I'd like more clarification about IE no longer trusting SHA1 certificates. Does this mean that sites accessed that use a SHA1 certificate can no longer be accessed at all? Or that it can be accessed but the connection is broken and error messages will remain on the address bar?

    Wednesday, July 6, 2016 12:18 AM

Answers

  • Hi Nat Bart,

    The SHA1 Deprecation Policy you mentioned only applies to CAs who are members of the Windows Root Certificate Program who issue publicly trusted certificates.

    But down below under the "SHA1 deprecation policy" it says nothing about the actual root certs.

    You don’t have to worry about this, since when the time comes, Windows machines will download public trusted root certificates with non-SHA1 algorithm, in other words, Windows Root Certificate Program will update the trusted root certificates of public CAs.

    More information for you:

    SHA1 Deprecation

    https://social.technet.microsoft.com/Forums/lync/en-US/2eed4e80-5b24-4983-87eb-6ce36ab42cee/sha1-deprecation?forum=winserversecurity

    Hope it will be helpful to you


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, July 7, 2016 2:53 AM
  • Hi Nat Bart,

    According to sha1 deprecation

    For non SSL and Code Signing certificates, CAs should stop issuing SHA1 certificates by 1 January 2016. Microsoft reserves the right to update Windows to stop accepting SHA1 certificates on or after 1 January 2017.

    Hope it will be helpful to you


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, July 12, 2016 1:50 AM

All replies

  • Hi Nat Bart,

    The SHA1 Deprecation Policy you mentioned only applies to CAs who are members of the Windows Root Certificate Program who issue publicly trusted certificates.

    But down below under the "SHA1 deprecation policy" it says nothing about the actual root certs.

    You don’t have to worry about this, since when the time comes, Windows machines will download public trusted root certificates with non-SHA1 algorithm, in other words, Windows Root Certificate Program will update the trusted root certificates of public CAs.

    More information for you:

    SHA1 Deprecation

    https://social.technet.microsoft.com/Forums/lync/en-US/2eed4e80-5b24-4983-87eb-6ce36ab42cee/sha1-deprecation?forum=winserversecurity

    Hope it will be helpful to you


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, July 7, 2016 2:53 AM
  • Thanks Carl.

    The concern I have is with SSL certificates signed with Signature Hash set as SHA1. I notice the warning messages with them when they expire before 2017 and I also noticed the error messages when they expire after 2017. I'm just wondering if say it is now time that IE stops supporting SHA1 signed certificates, does this mean the website associated with that certificate will be inaccessible or will it still be accessible with visible error messages?

    Regards,

    Nat

    Thursday, July 7, 2016 3:59 AM
  • Hi Nat Bart,

    According to sha1 deprecation

    For non SSL and Code Signing certificates, CAs should stop issuing SHA1 certificates by 1 January 2016. Microsoft reserves the right to update Windows to stop accepting SHA1 certificates on or after 1 January 2017.

    Hope it will be helpful to you


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, July 12, 2016 1:50 AM
  • This response is confusing and there doesn't appear to be a lot of clear information on this topic.

    The way I understand it:

    1. February 15, 2017 SHA-1 certificates will throw some message in IE stating that the certificate is untrusted
    2. It will only throw this message on certificates that are part of Windows Root Certificate Program. Certificates issued by an entity outside of this program will not be considered "insecure"
    3. Root certificates that are signed with SHA-1 will not be an issue because the root certificate is trusted explicitly.

    Are these assumptions correct? Again there is a lot of conflicting information out there and for developers that develop browser applications that are using HTTPS it would be good to get clear information.

    Wednesday, November 16, 2016 10:05 PM