Skip to main content

SHA 1 Deprecation: SHA-2 end entity certificates with SHA-1 intermediate certificates

Summary

Given the SHA-1 deprecation of 2017, what to do about certificates where signed end entity certificate is SHA-2, but intermediate certificates are SHA-1.


User-added image

Effective February 14, 2017,  Microsoft will release an update to Microsoft Edge and Internet Explorer 11 that will display an Invalid Certificate warning page when users browse to a TLS site that uses a SHA-2 end entity and a SHA-1 intermediate. For example:

User-added image

The end user will have the option to continue to the website, although it is not recommended. Google Chrome will not block these sites.

Only certificates that use the SHA-2 Signing Algorithm and have been issued from the “Entrust – L1C” or the “Entrust – L1E” Certificate Authorities are affected.

How to resolve this issue

You must identity which certificate(s) have been issued from the "Entrust - L1C" or "Entrust - L1E" Certificate Authorities.

ECS Enterprise account users can run a report to find these certificate(s).

Go to Reports > Report Center . On the left-hand menu, select Issued Certificates .

Once the report loads, find the column Issuer DN . If the column is not displaying, you may add a column by selecting any of the currently displaying columns, and on the dropdown that opens, selecting Columns and checking off the column you wish to add.

On the IssuerDN column, add a filter as shown below:

User-added image

You must reissue the identified SHA-2 SSL certificate(s). When you do so, the new certificate will be issued from a separate SHA-2 subordinate CA and the problem will be avoided.

For more information see our technote on SHA-1 deprecation here .

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance:

Hours of Operation:

Sunday 8:00 PM ET to Friday 8:00 PM ET

North America (toll free): 1-866-267-9297

Outside North America: 1-613-270-2680 (or see the list below)

NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.

Country Number
Australia 0011 - 800-3687-7863
1-800-767-513
Austria 00 - 800-3687-7863
Belgium 00 - 800-3687-7863
Denmark 00 - 800-3687-7863
Finland 990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet)
France 00 - 800-3687-7863
Germany 00 - 800-3687-7863
Hong Kong 001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax)
Ireland 00 - 800-3687-7863
Israel 014 - 800-3687-7863
Italy 00 - 800-3687-7863
Japan 001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
Korea 001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom)
Malaysia 00 - 800-3687-7863
Netherlands 00 - 800-3687-7863
New Zealand 00 - 800-3687-7863
0800-4413101
Norway 00 - 800-3687-7863
Singapore 001 - 800-3687-7863
Spain 00 - 800-3687-7863
Sweden 00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2)
Switzerland 00 - 800-3687-7863
Taiwan 00 - 800-3687-7863
United Kingdom 00 - 800-3687-7863
0800 121 6078
+44 (0) 118 953 3088