none
Internet Explorer - SHA1 Deprecation - Registry Key Value "PreventIgnoreCertErrors" RRS feed

  • Question

  • Hello,

    I am looking for some technical documentation regarding the following registry key "PreventIgnoreCertErrors"

    Details:

    New versions of IE will no longer allow you to bypass the certificate error for sites that are secured using SHA1 SSL/TLS certificates (Public key or Intermediate certificates... not the Root)

    To bypass the error you can add "PreventIgnoreCertErrors" as a DWORD (32-bit) value and change the value data to 0. This will allow you to bypass the warning manually and continue to the SHA1 SSL/TLS site.

    Question:

    When add the registry key and change the value to 0, what impact does the SSL/TLS connection? will IE not trust the connection and ignore the SSL/TLS handshake?

    Thank you,

    Rob

    Monday, May 22, 2017 6:33 AM

All replies

  • Hi Rob Lauzon,

    Starting on May 9, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Additionally, the Windows 10 Creators Update blocks SHA-1 by-default in the browser. Customers who would like to disable SHA-1 today may do so with the instructions below.

    This will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend for all customers to quickly migrate to SHA-256.

    you could refer to the links below.

    Windows Enforcement of SHA1 Certificates

    https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx

    SHA-1 Collisions Research

    https://blogs.technet.microsoft.com/msrc/2017/02/23/sha-1-collisions-research/

    Hope it will be helpful to you


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 23, 2017 8:19 AM
    Moderator
  • Hello Carl,

    Thank you for taking the time to provide the details above, but this does not answer the question. I am looking to bypass the warning but I want to ensure that SSL/TLS encryption will not be impacted if I use the specified registry key.

    Will using "PreventIgnoreCertErrors" prevent SSL/TLS from encrypting the traffic? or is this simply for the warning bypass only?

    I believe I found the answer by mining through the content that you provide. Within the one link it led me to a document "Implementing SHA-2 in Active Directory Certificate Services (ADCS)". Within this document it has details on how to disable to SHA-1 changes without impacting the SSL/TLS encryption of the web traffic.

    https://gallery.technet.microsoft.com/Migrating-SHA-1-to-SHA-2-82ee3a4e

    Thank you,

    Rob


    Wednesday, May 24, 2017 2:27 AM
  • Hi Rob,

    Thank you for your clarification.

    If any further help needed, please feel free to post back.

    Best regards,

    Carl


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, May 27, 2017 9:17 AM
    Moderator