[CrossPost] SHA1 Deprecation Policy

Update: This page has been removed.  For the most up to date information on the Microsoft SHA1 deprecation policy please see the links posted below

https://blogs.technet.microsoft.com/msrc/2017/02/23/sha-1-collisions-research/ https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/#mmogekbBwHWMHGTL.97 https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx

Comments

• Anonymous
  January 01, 2003
  Hi Amerk,Some of my Issuing CA certificates have the "Signature Algorithm" set to SHA1RSA. After some investigation I found that this most likely means SHA1 for Digest and RSA Algorithm for encryption. RSA doesn't appear to be mentioned in the NIST Special publication you linked. Should I assume that the SHA1RSA certificates will also need to be depricated, or only certificates that sepecifically say 'Sha1'Cheers!

• Anonymous
  January 01, 2003
  Hi Amerk, First of all I wish you a very happy new year! I've heard that Mozilla's about to remove the following root CA certificate from Firefox (from version 28): CN = GTE CyberTrust Global RootOU = "GTE CyberTrust Solutions, Inc."O = GTE CorporationC = USSHA1: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74Could you please tell me what Microsoft's position on that mater is? Thank you very much in advance.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Any timeline for a hotfix to get KMCS on Vista and Win7 to recognize SHA2 certificates?

• Anonymous
  January 01, 2003
  Following on my and DigitalExegete `s comment of painfull experience with SHA256 signing on older systems (and ABSOLUTELY NO official information about this ), does that mean that if i want to install on windows xp (or vista) i must -
  1) install relevant kb update fixing system recognition of SHA2 (wich will be signed by sha1 hopefully),
  2) proceed with product installation.
  In case step 1 required reboot to function our unstall experience is f***ed .
  

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  I have a question, about Windows7/8 Code signing. In October, I purchased an SHA-2 Certificate for code signing, since SHA-1's future seemed bleak. My question is that if you are deprecating SHA-1, are you also deprecating Windows Vista/7? I can't code sign (from what I've tried to do) for Windows 7--I just get an unrecognized certificate error. Reading MSDN pages & OSR Forums seem to confirm that SHA-2 is only Win 8/8.1.
  
  I do understand that this may be more suited towards MSDN, but deploying to mixed environment of Win7/8 is an issue if I can't use SHA-2 on my Win7 Machines, and you are basically announcing the end of SHA-1 support.
  
  Thanks for the article!

• Anonymous
  January 01, 2003
  On another MS publication [ http://msdn.microsoft.com/en-us/library/cc433493(v=exchg.80).aspx ] you are depending upon something called "son-of-sha-1". Will this version of sha-1 be around for a while or will it be changed soon as well?

• Anonymous
  January 01, 2003
  Hi I have a question on CA - I have 4 DC installed in my client environment with no CA server manage, 2 DC is in Datacenter 1 and other 2 DC is in Datacenter 2, now the problem is in my client has local computer certificate which will be expire in less than 30 days.I have no idea whether it will renew automatically or i have to renew it manually.the certificate is on local server like is the machine name is "aaa" then the certificate name is aaa.domain.com with intended purpose is server authentication and this will be expire soon I appreciate if you reply ASAP

• Anonymous
  January 01, 2003
  thanks

• Anonymous
  January 01, 2003
  Sorry--SHA-2 should be SHA-256

  • Anonymous
    April 12, 2016
    Not really. SHA-2 is a family of algorithms, one of which is SHA-256.

• Anonymous
  January 01, 2003
  I was inspired by all the answers and replies here, along with different discussions to came up with my own white paper describing the process
  
  There are many sides to the SHA-2 upgrade story. You can do side by side different Root CA migration, or you can upgrade your existing CA servers.
  
  There is a white paper describing each approach and how it will affect your applications:
  
  http://ammarhasayen.com/2015/02/04/what-makes-a-ca-capable-of-issuing-certificates-that-uses-sha-2/

• Anonymous
  January 01, 2003
  SHA2 certs for Authenticode signing on Vista requires https://support.microsoft.com/en-us/kb/2763674 (works for user mode only not for KMCS)

• Anonymous
  January 01, 2003
  Full XP SP3 is here: https://www.microsoft.com/en-ca/download/details.aspx?id=24

• Anonymous
  November 12, 2013
  The comment has been removed

• Anonymous
  November 12, 2013
  SSL Certificate section references 2017, this appears to be a typo and inconsistent with the rest of the depreciation policy.

• Anonymous
  November 12, 2013
  Curious Observer, The text is correct. The policy is a bit confusing but necessary. We want to protect both scenarios as soon as possible but the SSL ecosystem will take longer to transition. That’s why we have the split schedule.

• Anonymous
  November 12, 2013
  Now Office 2010 SP2 and 2013 support SHA2 certificates for VBA digital signatures, but what about 2007?

• Anonymous
  November 12, 2013
  How will this affect Root CAs that are self signed with SHA1? Most roots are signed with this algorithm.

• Anonymous
  November 13, 2013
  Hi! Do Windows XP and 2003 Server support SSL client certificates as well? Am I able to connect to an SHA2 cert web server with my SHA2 SSL client cert? ... With XP SP3 of course.   Thanks!

• Anonymous
  November 13, 2013
  The comment has been removed

• Anonymous
  November 14, 2013
  A few thing in here are unclear to me, could you please elaborate on them:

1. By "Windows will stop accepting SHA1 code signing certificates without time stamps " do you actually mean "Windows will stop accepting code signed by a SHA1 certificate where the signature does not include a timestamp"? I am asking, because I am not aware of a way to add a timestamp to a certificate.
2. At one point you write "CAs must stop issuing new SHA1 [...] Code Signing end-entity certificates by 1 January 2016" and below "Windows will stop accepting SHA1 code signing certificates [...] after 1 January 2016". What is true here. Is every SHA1 certificate going to be rejected after that date or only newly issued ones?
3. Does this really only affect end-entitiy certificates and not root- and intermediate-certificates?
4. What about other certificate uses not mentioned here, like document signatures on a PDF or S/Mime singned e-mails. Will Windows still consider SHA1 certifcates valid for those usages afte January 2016/2017? regards

• Anonymous
  November 14, 2013
  What does this mean for CA certificates - root (as mentioned by Ramo), intermediate and issuing?   Will they be able to continue with SHA1 certificates or will they need to be replaced with SHA2 certificates?

• Anonymous
  November 14, 2013
  The comment has been removed

• Anonymous
  November 14, 2013
  @Ramo The SHA1 deprecation policy does not impact SHA1 root certificates, because Windows relies on other means to validate root certificates besides the signature.  But all root CAs are expected to switch to use SHA2 to sign any subordinate CA certificates, CRLs, etc.

• Anonymous
  November 14, 2013
  @ Toki, I recommend some excellent Windows PKI blog posts for your questions about Windows and SHA2 support. Please see blogs.technet.com/.../sha2-and-windows.aspx and blogs.technet.com/.../common-questions-about-sha2-and-windows.aspx.

• Anonymous
  November 14, 2013
  @ User, As I understand your questions, they apply to enterprise managed PKIs.  This policy does not apply to enterprise PKIs where the root CA is managed by the enterprise.  Enterprise admins can enable the strict SHA2 policy via group policy on their enterprise PKI. However, in the case where the CA is a subordinate under a CA distributed in the Microsoft Root Cert Program, the policy will apply.  If your questions is whether Radius sever supports SHA2, I don’t know the answer.  SHA2 certificates should be supported on Windows Server 2008 or later, but you might contact your Radius server vendor.

• Anonymous
  November 14, 2013
  @ Matt A few thing in here are unclear to me, could you please elaborate on them:

1. By "Windows will stop accepting SHA1 code signing certificates without time stamps " do you actually mean "Windows will stop accepting code signed by a SHA1 certificate where the signature does not include a timestamp"? I am asking, because I am not aware of a way to add a timestamp to a certificate. Answer: Yes, we mean what you say. Apologies for the imprecise language.
2. At one point you write "CAs must stop issuing new SHA1 [...] Code Signing end-entity certificates by 1 January 2016" and below "Windows will stop accepting SHA1 code signing certificates [...] after 1 January 2016". What is true here. Is every SHA1 certificate going to be rejected after that date or only newly issued ones? Answer: You should read “For code signing certificates, Windows will stop accepting SHA1 code signing certificates without time stamps after 1 January 2016” as “For code signing certificates, Windows will stop accepting SHA1 code signing certificates without time stamps by 1 January 2016.  We make no warranties on the exact date that Microsoft will stop accepting SHA1 code signing certs, only that we expect it on or after 1 Jan 2016.  Sorry for the inconsistency.
3. Does this really only affect end-entitiy certificates and not root- and intermediate-certificates? Answer: The policy affects intermediate and end-entity certificates - both intermediates and end-entity certs should transition to SHA2 before the deadlines.  Root certs aren’t validated by the SHA1 signature so they are unaffected by this policy at this time.
4. What about other certificate uses not mentioned here, like document signatures on a PDF or S/Mime signed e-mails. Will Windows still consider SHA1 certifcates valid for those usages afte January 2016/2017? Answer: SHA1 SMIME and SHA1 document signing may be vulnerable at the same time as code signing and SSL, however they are smaller targets than code signing and SSL. This SHA1 deprecation policy focuses on SSL and code signing certs, but the policy will apply to all certificates issued under the root hierarchy including S/MIME. We expect all certificate types excluding code signing and time stamping to follow the SSL deprecation schedule.

• Anonymous
  November 14, 2013
  The comment has been removed

• Anonymous
  November 21, 2013
  Hi, When you said the SHA1 deprecation policy does not impact SHA1 root certificates, do you mean that CAs who are already in the root certificate program do not need to re-submit a SHA2 root certificate for replacement in the program? Regarding Windows will stop accepting SHA1 end-entity certificates by 1 January 2017 for SSL certificates, there seem to be conflict of policy with CABForum saying that the maximum validity period of SSL certificates should be 39 months. The deadline implies that CAs must stop issuing SHA1 end-entity certificates with 3 years validity period now. I don't think many CAs is able to switch to issuing SHA2 end-entity certificates immediately. Is it possible to reconsider the deadline?

• Anonymous
  November 22, 2013
  Another question came to my mind: What about revocation status? Do certificates signing CRLs and OCSP responses have to be SHA-2 certificates? Do the CRLs and OCSP responses themself have to be signed with SHA-2?

• Anonymous
  November 22, 2013
  Yes, they have to be SHA2

• Anonymous
  November 25, 2013
  Hi, We have some customer using certificate that is issued from un-trusted root CA. My questions are,

1. The SHA1 certificates are used with the applications develop with CAPI or CNG. Does SHA1 deprecation policy also affect to the certificates used in those applications?
2. What will happen if the SHA1 certificate displayed in the Windows certificate viewer?
3. Does the SHA1 deprecation policy will also affect to the end entity certificate which is issued from root CA which is not the Windows trusted root CA? (The root certificate was mannualy import to Windows root certificate store, not distributed via Root update.)

• Anonymous
  November 26, 2013
  The comment has been removed
• Anonymous
  November 27, 2013
  Hi, I have some question about SHA1 deprecation,

1. What if user still use SHA1 EE certificate in the applications that were develop using CAPI and CNG?
2. After the policy effected, how about the SHA1 certificate in Windows/IE certificate looks like?
3. Is this policy also affect to EE certificate which is not issued by Root Program member CA?
4. Does Windows Phone SSL also support SHA2? Many Thanks!

• Anonymous
  November 27, 2013
  In our organisation we have an internal PKI deployed using a third party CA Management software. We are not involved in the Windows Root Certificate Program. All our certificates (Root, Intermediate, end-entity) currently use SHA-1. Are we going to be impacted by this? The certifiates are being used in many different environments: Windows, zOS, Unix. Will we still be able to use our certificates in Windows enviroment after 1 january 2017? Thank you.

• Anonymous
  December 05, 2013
  The comment has been removed

• Anonymous
  December 06, 2013
  Will the revocation information for codesigning certificates (CRL signature and the certificate signing the CRL, OCSP response signature and the certificate signing it) have to bei in SHA-2 by 2016, too? You mentioned, that codesigning signatures done with a SHA-1 certificate are still OK by 2016, if they contain a Timestamp. Does this timestamp (and its signing certificate) have to be SHA-2?

• Anonymous
  December 06, 2013

1. If root certificates are also to be updated, then that will create huge issue for those who want to be installed on un-updated windows machines who do not have this roots installed.
2. I know have a support case opened with MS cause i followed your advice on signing driver by sha2 certificate and Windows refused to recognise it. Way to go.

• Anonymous
  December 06, 2013
  Hi Mat, Yes, revocation information will be affected. Timestamps can use SHA1 up to 1/1/2016. SHA1 timestamps that are generated before 1/1/2016 will be allowed by Windows after 1/1/2016.

• Anonymous
  December 06, 2013
  The comment has been removed

• Anonymous
  December 14, 2013
  Pingback from SHA1 Deprecation Policy « Jorge's Quest For Knowledge!

• Anonymous
  December 15, 2013
  Pingback from Authenticity and the November 2013 Security UpdatesIT Security News aggregated by IT Security expert Sorin Mustaca | IT Security News aggregated by IT Security expert Sorin Mustaca

• Anonymous
  December 16, 2013
  So, we’ve been quiet for a few months, which is extraordinarily embarrassing after I basically

• Anonymous
  December 27, 2013
  Pingback from Authenticity and the November 2013 Security Updates | UC3

• Anonymous
  December 27, 2013
  Pingback from Authenticity and the November 2013 Security Updates : Erez Benari's Blog : The Official Microsoft IIS Site

• Anonymous
  December 27, 2013
  If you haven't had a chance to see the movie Gravity , I highly recommend you take the time to check

• Anonymous
  December 27, 2013
  Pingback from Authenticity and the November 2013 Security Updates - Safranka M??ty??s szakmai blogja - TechNetKlub

• Anonymous
  December 27, 2013
  Pingback from Authenticity and the November 2013 Security Updates - System Center Mindenkinek - TechNetKlub

• Anonymous
  December 27, 2013
  Pingback from Authenticity and the November 2013 Security Updates - Windows Virtualization Team Blog - TechNetKlub

• Anonymous
  December 27, 2013
  If you haven't had a chance to see the movie Gravity , I highly recommend you take the time to check

• Anonymous
  December 27, 2013
  Pingback from Authenticity and the November 2013 Security Updates - Windows Server Division weblog - TechNetKlub

• Anonymous
  December 27, 2013
  Pingback from Authenticity and the November 2013 Security Updates - System Center Team Blog - TechNetKlub

• Anonymous
  December 27, 2013
  If you haven't had a chance to see the movie Gravity , I highly recommend you take the time to check

• Anonymous
  December 28, 2013
  Pingback from Authenticity and the November 2013 Security Updates - Microsoft U.S. Partner Team - Partner Community - Microsoft Dynamics Community

• Anonymous
  December 28, 2013
  Pingback from Authenticity and the November 2013 Security Updates - Dynamics AX Sustained Engineering - Microsoft Dynamics AX - Microsoft Dynamics Community

• Anonymous
  December 28, 2013
  If you haven't had a chance to see the movie Gravity , I highly recommend you take the time to check

• Anonymous
  December 28, 2013
  Pingback from Authenticity and the November 2013 Security Updates : Windows Server Customer Engineering (Customer Advisory Team) : The Official Microsoft IIS Site

• Anonymous
  December 28, 2013
  If you haven't had a chance to see the movie Gravity , I highly recommend you take the time to check

• Anonymous
  December 28, 2013
  Pingback from Authenticity and the November 2013 Security Updates : PHP Blogs from Port25 : The Official Microsoft IIS Site

• Anonymous
  December 29, 2013
  If you haven't had a chance to see the movie Gravity , I highly recommend you take the time to check

• Anonymous
  December 29, 2013
  If you haven't had a chance to see the movie Gravity , I highly recommend you take the time to check

• Anonymous
  December 29, 2013
  Pingback from Authenticity and the November 2013 Security Updates - Microsoft Lystavlen - Microsoft Dynamics CRM - Microsoft Dynamics Community

• Anonymous
  December 29, 2013
  If you haven't had a chance to see the movie Gravity , I highly recommend you take the time to check

• Anonymous
  January 22, 2014
  The comment has been removed

• Anonymous
  February 13, 2014
  Hi Amerk, Administrators will have the option to enable the no SHA1 policy from Group Policy. What if our customer wish to use SHA-1 end entity certificate issued by private Root CA which was import to Root Certificate store of Windows? Does that mean the application call CertGetCertificateChain API will get no error code return?

• Anonymous
  February 13, 2014
  Can you allow both ... legacy continues to see and use SHA-1 .. new system look only to SHA-2 ?

• Anonymous
  February 14, 2014
  The comment has been removed

• Anonymous
  February 14, 2014
  So...Can I deploy sha-2 in IIS 7 Machine Key hashing? I only see sha-1, not sha-2

• Anonymous
  April 14, 2014
  We are using the Forefront TMG 2010 as reverse proxy and I want to change the SSL certificate.
  Is the TMG 2010 full compatible with SHA-2?
  Thanks for your help!

• Anonymous
  April 15, 2014
  The comment has been removed

• Anonymous
  May 11, 2014
  @toasti
  http://technet.microsoft.com/de-de/library/ee796231.aspx#dfg9o9i8uuy6tre <- that article says: "no" !

• Anonymous
  July 11, 2014
  The comment has been removed

• Anonymous
  September 04, 2014
  This question bothers me too.

• Anonymous
  September 11, 2014
  Ah, the patch is already being put out via a superseded patch via Windows Update. My mistake!

• Anonymous
  September 16, 2014
  Hi,
  I'm glad that my post has helped you.
  Please verify whether the public key of the signing private key is imported to the truststore of the server. The problem may be the public key is not trusted by the server.
  
  
  http://www.arx.com">digital signature software

• Anonymous
  September 25, 2014
  If SHA1 is really weak for web or app security, so why http://blogs.technet.com is taking a rest with “sha1WithRSAEncryption”. - https://www.sha2sslchecker.com

• Anonymous
  September 26, 2014
  The comment has been removed

• Anonymous
  October 21, 2014
    The SHA-1 hashing algorithm for the Microsoft Root Certificate Program is being decommissioned

• Anonymous
  November 05, 2014
  Celková bezpečnost, kterou PKI IT systémům může poskytovat, je primárně závislá

• Anonymous
  November 09, 2014
  Last week I worked with a client that went live with their IFD implementation for CRM On-premise. The

• Anonymous
  December 02, 2014
  www.zeugnis-portal.de
  
  Nice post, thanks for the tips.

• Anonymous
  December 17, 2014
  hello,
  
  you said that "No. This policy do not affect certificates that chain up to privately deployed root CAs. Administrators will have the option to enable the no SHA1 policy from Group Policy."
  
  would you please be able to explain how a root program CA certificate differs from other/privatelydeployed root CA certificates? How will the API differentiate among them? Does the third-party root certificate store (authroot) contain any flags that mark the auto-trusted certificates? Or is it just the certificate store itself which this deprecation policy will apply to?
  
  thank you! ondrej.

• Anonymous
  January 06, 2015
  I have Windows XP. How do I get Service Pack 3?

• Anonymous
  January 07, 2015
  The comment has been removed

• Anonymous
  January 07, 2015
  I'm using Win 7 Home Premium. Spare me the techno-jargon and just tell me am I affected by this change or not ?

• Anonymous
  February 02, 2015
  The comment has been removed

• Anonymous
  February 02, 2015
  Is Windows XP SP 3 able to work with SHA -2 ??
  I can't follow the "computer speak" details, just tell me if I need to do anything to keep accessing USAA with Windows XP SP 3, Thank you.. veritasmax@earthlink.net

• Anonymous
  February 03, 2015
  I am not very computer literate technically. I have Windows xpress which microsoft no longer supports so how do I update to access you on the computer. I read your articles and still don't know what todo

• Anonymous
  February 03, 2015
  I have windows XP. Am I required to do anything?

• Anonymous
  February 03, 2015
  wa the hek does all this mean??

• Anonymous
  February 03, 2015
  I have windows XP....do I need to upgrade my operating system, and if so how do I do that?

• Anonymous
  February 03, 2015
  I have no clue what this is about , or what to do about it...

• Anonymous
  February 04, 2015
  This is the most remarkable example of undecipherable gobbledegook I have ever seen. You have truly outdone yourselves.

• Anonymous
  February 05, 2015
  I am in the dark as to what i can do. I AM USING MICROSOFT XP 6 I am a senior citizen, and all of this is GREEK to me.

• Anonymous
  February 12, 2015
  either I missed it or not, where do you go to get this new " fix"
  

• Anonymous
  February 16, 2015
    “My certificate provider recently switched to only providing SHA2/SHA256 certificates because

• Anonymous
  March 05, 2015
  Avec la génération d'OS W2K8, les produits Microsoft ont consommé de plus en plus de certificats

• Anonymous
  March 06, 2015
  Avec la génération d'OS W2K8, les produits Microsoft ont consommé de plus en plus de certificats

• Anonymous
  March 24, 2015
  The comment has been removed

• Anonymous
  April 01, 2015
  Hey all, Rob Greene here again. Well it’s been a very long while since I have written anything

• Anonymous
  April 20, 2015
  Please refer to this link https://social.technet.microsoft.com/Forums/windowsserver/en-US/495c1165-6ae9-4758-b75c-5db47e4bece4/does-nps-support-sha256-certificates?forum=winserverNAP
  
  IT Admins on the ground are having trouble with RADIUS implementation via SHA-2. Reverting back to SHA-1 works. How do we overcome this? I am also using RAIDUS implementation using Server 2008 in several of my remote sites. I am skeptical of SHA-2 for my RADIUS implementation as we do not have a UAT or test environment. Once we implement SHA-2 and if it breaks, we have a sev1 production issue on our hands which I am not sure how to rolll back.
  
  Can you kindly advise please?

• Anonymous
  April 22, 2015
  Can we have an answer to a simple question for Certificate Services used internally. We have an offline root Ca with 2 issuing CA's that use client certificates for port security and SSL web certificates. We only use these Internally. We are using SHA1 now. What worries do we have to worry about with this deprecation policy? I can't seem to find a great answer. Will IE stop connecting to our internal SSL sites that have SHA1 certs configured. Will computers stop auto-enrolling in SHA1 client certs after 1/1/16?
  
  I'm working on building a new SHA2 CA environment on servers 2012, but our certs are good for 2 years now which means everything issued since 1/1/15 needs to have the new certs from the new SHA2 CA by end of 2016? Is this correct? I hope this makes sense.
  
  Thanks,

• Anonymous
  April 29, 2015
  As with Sean N we also run our own PKICA (not part of the Windows Root Certification Program). From reading it sounds like we are not affected per-se. However the mechanism for blocking SHA 1 certs in windows does not seem clear. As far as I can work out there is no clear distinction in the various Windows APIs for a application to tell if a root cert has been added by a user or is instead auto-installed because it is part of the Windows Root Certification Program (as shown in messages in FF forums:https://bugzilla.mozilla.org/show_bug.cgi?id=432802). Will there be any way for us to test what will happen to ensure we are safe?
  An example of concern is obviously that our certs stop working on 1/1/2017 but also if the mechanism of this block was to stop SHA-1 cryptographic algorithm working then elements of our apps that use SHA-1, say for hashing messages to ensure that have not been modified, would stop working (for example:if MS used this method to block: https://technet.microsoft.com/en-us/library/64580d5a-7b33-4151-8fa9-9efcff0240ad). Whilst I think this is an unlikely method I can't say for sure and hence this is a major risk for the enterprise that I work for.
  Realize that a decision point in July 2015 has still to be reached my MS to decide if this SHA-1 block can go ahead but more transparency on the what and how (and even better - ways to test) would be really appreciated as this could have a heavy impact on many enterprises.

• Anonymous
  May 15, 2015
  After this weeks update I have had customers calling me complaining that they cannot connect to our mail servers. Does anyone know if Microsoft stopped excepting SHA1 SSL connections.

• Anonymous
  May 29, 2015
  The policy on SHA-1 code signing as stated is this: For code signing certificates, Windows 7 and later versions will stop accepting code signed with SHA-1 certificates without timestamps that were made prior to January 1, 2016.
  
  Does this mean that (my emphasis) SHA-1 programs built after Jan 1, 2016 will still continue to work? In other words, as long as I timestamp my builds, even after the date, they still continue to work?
  
  

• Anonymous
  May 29, 2015
  The comment has been removed

• Anonymous
  June 01, 2015
  This is a disaster! No certificate providers are willing to sell a SHA-1 code signing certificate valid longer than Jan 1, 2016. This means that Server 2008 installations cannot update a driver signed after that date because Server 2008 doesn't support SHA-256 in the kernel.
  
  Server 2008 has extended support until 2020 which is supposed to include security fixes. Going four years with unpatched kernel drivers seems like a pretty big potential security issue to me. Much bigger than any theoretical preimage attack on SHA-1. The train to get certificate providers to continue issuing SHA-1 certs may have passed but it's not too late to add SHA-256 support to Server 2008 kernel driver Authenticode!
  
  Microsoft, please reconsider!

• Anonymous
  June 05, 2015
  Bonjour,
  
  Pouvez-vous me dire si ISA2006 serait compatible avec un certificat de type SHA2
  Bien entendu la machine Windows 2003 a été patché avec le hotfix adéquat 968730 ... 938397 ect
  Merci

• Anonymous
  June 08, 2015
  Can we have some clearer guidance (with a table perhaps?) on the various restrictions between kernel (boot critical and non-boot critical) and user mode codesigning, plus the double signature (SHA-1 and SHA-2) methodology as applied to kernel and user mode? Along with the SHA-2 EV certificate restrictions and usage for kernel mode and user mode on windows 10? The various deadlines mean there is a bad grey zone between windows 10 launch and SHA-1 sunset for developers still supporting Vista/2008, as well as those unfortunate enough to still be supporting back to XP/2003 despite the platform support sunset.

• Anonymous
  June 25, 2015
  Just one simple answer to one simple question. Does this policy effect non-public CA's, like internal Microsoft CA's that companies run for internal certificates? That is all I want to know.

• Anonymous
  July 03, 2015
  The comment has been removed

• Anonymous
  July 14, 2015
  I have a question in my company have an internal PKI based on SHA-1, and all our Web Services use an SSL certificate that consumed other servers. My concern is that after the January 1, 2017, systems that consume web services are affected by ceasing to support SHA-1 certificates. What do you think about this? there may be problems in Web services Services if we keep SHA-1?

• Anonymous
  July 16, 2015
  When will the mid-term evaluation of policy impact be complete/posted?

• Anonymous
  July 29, 2015
  So a digital signatures made with an SHA1 certificate will not be accepted after 2020, it is pretty clear.
  
  But what about SHA1 time-stamps? Logic tells me that a timestamp will also not be accepted after January 2020 if it was made with a SHA-1, so to made our software 2020-ready we need to use a SHA256 RFC 3161 timestamping service, but Symantec support is trying to convince me that this deprecation policy is not applied to timestamps.
  
  Currently only GlobalSign and StarField TSA services generate SHA256 timestamps.

• Anonymous
  August 06, 2015
  Symantec is now claiming that you can use SHA-2 certs in SHA-1 signing mode for vista/2008 (same as the first stage in a dual sign for windows 7), but who knows how well that works outside of a 100% fully patched SP2 install with updated cert stores.

• Anonymous
  August 07, 2015
  Yes, SHA-2 certs will work for Vista/2008 in user mode. I guess Microsoft never thought that kernel drivers may need an update or two during the four year time span between Jan 1 2016 and Jan 14 2020?

• Anonymous
  August 13, 2015
  "Microsoft will give new consideration to the SHA deprecation deadlines in July 2015" - August now. We really do need to see the outcome and (I think crucially) clear information on how this is going to be enforced by MS on client and servers (Is it a patch - what will the patch actually do etc) if we are to minimise issues occurring when this comes into effect.

• Anonymous
  August 18, 2015
  Additional information is here http://social.technet.microsoft.com/wiki/contents/articles/31633.microsoft-trusted-root-program-requirements.aspx#D_Code_Signing_Root_Certificate_Requirements

• Anonymous
  September 02, 2015
  MSFT Can you please confirm that this is only applicable to Root CAs under the Trusted Root Certificate Program and that if a corporation is using a private self-signed Root CA there would be no disruption of service under this depreciation policy and dates?
  
  If there is posted guidance to this effect please provide the appropriate link.

• Anonymous
  September 04, 2015
  (2015.09.04 追記)
  本記事でご案内をしている内容は、弊社製品のうち、Visual Studio や .NET Framework といった開発ツールが対象となります。
  Windows

• Anonymous
  October 05, 2015
  how there is no update on this crucial topic...is it that difficult to have a proper blog with all that works and doesn't work explained clearly?!?!

• Anonymous
  October 11, 2015
  WHY DOES MY sha 1 certs say that it is fraudulent , self signed
  
  

• Anonymous
  October 16, 2015
  This page is out of date. Please see http://aka.ms/sha1 for the latest

• Anonymous
  October 19, 2015
  no that is not out of date. that is latest bro. http://justnaukri.in/result">Result

• Anonymous
  October 19, 2015
  http://aka.ms/sha1>Please refer this new page

• Anonymous
  October 22, 2015
  Thanks for linking to the update. Please leave a copy of the original post though. It's unhelpful to remove what you wrote from a published site.

• Anonymous
  October 22, 2015
  As of October 2015, Google Chrome shows a red warning for https://sha1-2017.badssl.com (website using SHA1 beyond deadline) and neutral security forhttps://sha1-2016.badssl.com/
  
  Internet Explorer doesn't show any warnings. What's going on?
  
  
  

• Anonymous
  October 25, 2015
  212 Microsoft Team blogs searched, 69 blogs have new articles. 226 new articles found searching from

• Anonymous
  October 30, 2015
  212 Microsoft Team blogs searched, 49 blogs have new articles. 117 new articles found searching from

• Anonymous
  November 06, 2015
  What does this mean with regards for SQL Severs what use sha1 certificates for SSL encryption?

• Anonymous
  January 06, 2016
  A consultation on January 1, 2017, if a Services Web site use SHA-1, will be affected client when consulting?

• Anonymous
  January 06, 2016
  A consultation on January 1, 2017, if a Web Services (WBS) uses SHA-1, will be affected client when consulting?

• Anonymous
  January 06, 2016
  If you have a Windows 2003 Web Services in patched SHA2, may linux or windows 2000 customers consume the service?

• Anonymous
  January 11, 2016
  I am unable to access the page. www.microsoftzzzz.com

• Anonymous
  September 07, 2016
  Hi can someone explian and answer. I have web portal which connects external users to it , currently it uses SHA1 and since Microsoft intended to block SHA1 will that it have impact on any users connecting ( i:g will be blocked by the browser after 1 Jan 2017)

• Anonymous
  April 05, 2017
  Hi,I have few legacy applications which are hosted on Oracle10g OHS. now i need to migrate legacy applications from http to https for this i need SHA1 certificate. Can anyone help me where can i get SHA1 certificate ?Thanks in advance.