Summary
Given the SHA-1 deprecation of 2017, what to do about certificates where signed end entity certificate is SHA-2, but intermediate certificates are SHA-1.
Effective February 14, 2017, Microsoft will release an update to Microsoft Edge and Internet Explorer 11 that will display an Invalid Certificate warning page when users browse to a TLS site that uses a SHA-2 end entity and a SHA-1 intermediate. For example:
The end user will have the option to continue to the website, although it is not recommended. Google Chrome will not block these sites.
Only certificates that use the SHA-2 Signing Algorithm and have been issued from the “Entrust – L1C” or the “Entrust – L1E” Certificate Authorities are affected.
How to resolve this issue
You must identity which certificate(s) have been issued from the "Entrust - L1C" or "Entrust - L1E" Certificate Authorities.
ECS Enterprise account users can run a report to find these certificate(s).
Go to Reports > Report Center . On the left-hand menu, select Issued Certificates .
Once the report loads, find the column Issuer DN . If the column is not displaying, you may add a column by selecting any of the currently displaying columns, and on the dropdown that opens, selecting Columns and checking off the column you wish to add.
On the IssuerDN column, add a filter as shown below:
You must reissue the identified SHA-2 SSL certificate(s). When you do so, the new certificate will be issued from a separate SHA-2 subordinate CA and the problem will be avoided.
For more information see our technote on SHA-1 deprecation here .
If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance:
Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
Country | Number |
Australia |
0011 - 800-3687-7863
1-800-767-513 |
Austria | 00 - 800-3687-7863 |
Belgium | 00 - 800-3687-7863 |
Denmark | 00 - 800-3687-7863 |
Finland |
990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet) |
France | 00 - 800-3687-7863 |
Germany | 00 - 800-3687-7863 |
Hong Kong |
001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax) |
Ireland | 00 - 800-3687-7863 |
Israel | 014 - 800-3687-7863 |
Italy | 00 - 800-3687-7863 |
Japan |
001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ) 0061 - 800-3687-7863 (IDC) |
Korea |
001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom) |
Malaysia | 00 - 800-3687-7863 |
Netherlands | 00 - 800-3687-7863 |
New Zealand |
00 - 800-3687-7863
0800-4413101 |
Norway | 00 - 800-3687-7863 |
Singapore | 001 - 800-3687-7863 |
Spain | 00 - 800-3687-7863 |
Sweden |
00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2) |
Switzerland | 00 - 800-3687-7863 |
Taiwan | 00 - 800-3687-7863 |
United Kingdom |
00 - 800-3687-7863
0800 121 6078 +44 (0) 118 953 3088 |