none
SHA-1 SSL Certificates ruling out RRS feed

  • Question

  • Hi,

    Internet Explorer is set not to trust SHA-1 SSL Server certificates by June 2016 after the SHA-1 was almost broken in Nov 2015.

    Do you know if SHA-1 SSL Client certificate will be ruled out as well ? If yes, what is the expected deadline / ruling-out criteria  (notBefore / notAfter / ...) ?

    Thanks in advance
    @iansus

    Tuesday, April 12, 2016 3:53 PM

All replies

  • Hi lansus,

     

    Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016. This cut-off date applies to the code-signing certificate itself.

     

    This restriction will not apply to the time-stamp certificate used to time-stamp the code-signing certificate or the certificate’s signature hash (thumbprint) until January 1, 2017. After this time, Windows will treat any code with a SHA-1 time-stamp or SHA-1 signature hash (thumbprint) as if the code did not have a time-stamp signature.

     

    For more information, please refer to the link:

    http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

     

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, April 13, 2016 1:43 PM
    Moderator
  • Thank you for your answer.

    However, my question was targeting the signature algorithm of the certificate itself, in this case SHA1WithRSA. I understand that Internet Explorer will (or already has, depending on the certificate expiration date) not trust the server certificate if signed with sha1RSA.

    I don't recall there was any reference to the case of client authentication certificates (as used in SSL mutual authentication): as the server will be the one checking the certificate integrity, the burden of deciding wether to trust the certificate or not should entirely rely on it (as Firefox security team says : https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/0YnlEOlLeTs).

    To sum up, I would just want to know if I will still be able to use a sah1RSA signed client certificate to perform mutual authentication past January 1st, 2017.

    Thanks in advance
    @iansus

    Monday, April 18, 2016 11:30 AM
  • I think it is possible, but it will at risk, please be careful.

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, April 19, 2016 1:31 AM
    Moderator