In 2013 Microsoft announced that it will no longer support the SSL/TLS certificates signed with the SHA-1 hashing algorithm as of 2017. In addition Mozilla, Apple and Google announce that they would do the same for their browsers in support of Microsoft's decision.
In short, the SHA-1 deprecation program required that Certification Authorities (CAs) stop signing with SHA-1 as of January 1, 2016. The effect of the deprecation program saw the number of SHA-1 signed certificates drop hugely, so that as of November 2016 only 2.5 percent of SSL/TLS certificates found online were using SHA-1.
Failure to migrate to SHA‑2 in a timely manner will result in browsers not displaying content properly and end-users receiving security warnings. It is anticipated that all popular browser will show errors for SHA-1 signed SSL/TLS certificates in 2017:
|End of January 2017||Google indicates Chrome 56 to be released at the end of January 2017 will remove trust for SHA-1 certificates from publicly trusted CAs. With Chrome 57, trust will be removed for SHA-1 certificates issued from private trust CAs. For private or local CAs, an enterprise can correct this error by implementing a change to enable SHA-1 for local anchors.|
|January 24, 2017||Mozilla announced that with release 51 January 24, 2017 Firefox will show an Untrusted Connection error if a SHA-1 certificate chains to a root in the Mozilla CA certificate program that users can override.|
IE and Edge
|February 14, 2017||Microsoft stated that on February 14, 2017 an update to Microsoft Edge and Internet Explorer 11 will be released to display an Invalid Certificate warning page alerting users that their connection is not secure. Although not recommended, browser users will have the option to continue to the website.|
Safari and Webkit
|Spring 2017||Apple has announced that in Spring 2017 a security update to Apple operating systems will remove support for SHA-1 signed certificates for Safari and Webkit.|
If you have yet to migrate to SHA-2, check out Entrust Datacard’s SHA-2 Migration Guide. It will help you plan and execute a successful SHA-2 migration to avoid extra costs, eliminate service disruptions and ensure compliance.
By summer of 2017 all popular browsers will indicate an error for the user of any website with a SHA-1 signed certificate. Note, however, there are some exceptions to be aware of in regards to internal certificates. For internal certificates, SHA-1 warnings can be ignored:
- Chrome: Push out a policy for Chrome users called EnterpriseWebStoreName (deprecated).
- Firefox: Configure “security.pki.sha1_enforcement_level” to a value of “0” for about>config settings.
- IE and Edge: Certificates that are anchored to roots that are not listed in the root program will still be trusted.
If you are still using SHA-1 signed certificates, it's important to understand how you will be impacted by this change in protocol. Please contact our support team to discuss your unique case if one of the above workarounds will not work for you. Note that your ultimate aim should be to move to SHA-2 (a.k.a. SHA-256) signed certificates as soon as possible.
If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance:
Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
|Australia||0011 - 800-3687-7863|
|Austria||00 - 800-3687-7863|
|Belgium||00 - 800-3687-7863|
|Denmark||00 - 800-3687-7863|
|Finland||990 - 800-3687-7863 (Telecom Finland)|
00 - 800-3687-7863 (Finnet)
|France||00 - 800-3687-7863|
|Germany||00 - 800-3687-7863|
|Hong Kong||001 - 800-3687-7863 (Voice)|
002 - 800-3687-7863 (Fax)
|Ireland||00 - 800-3687-7863|
|Israel||014 - 800-3687-7863|
|Italy||00 - 800-3687-7863|
|Japan||001 - 800-3687-7863 (KDD)|
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
|Korea||001 - 800-3687-7863 (Korea Telecom)|
002 - 800-3687-7863 (Dacom)
|Malaysia||00 - 800-3687-7863|
|Netherlands||00 - 800-3687-7863|
|New Zealand||00 - 800-3687-7863|
|Norway||00 - 800-3687-7863|
|Singapore||001 - 800-3687-7863|
|Spain||00 - 800-3687-7863|
|Sweden||00 - 800-3687-7863 (Telia)|
00 - 800-3687-7863 (Tele2)
|Switzerland||00 - 800-3687-7863|
|Taiwan||00 - 800-3687-7863|
|United Kingdom||00 - 800-3687-7863|
0800 121 6078
+44 (0) 118 953 3088