Microsoft has published a security advisory
on “Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program”. In summary, Windows will cease accepting SHA-1 certificates on January 1, 2017. To continue to work with Microsoft platforms, all SHA-1 SSL certificates issued before or after this announcement must be replaced with a SHA-256 (SHA-2) equivalent by January 1, 2017.
Symantec is helping to make the Internet more secure by proactively using, promoting, and elevating cryptographic standards within SSL/TLS and code-signing certificates. As technology changes, it is critical to stay ahead of those who wish to defeat cryptographic technologies for their malicious benefit.
The initiative to migrate from SHA-1 to SHA-256 (SHA-2) is the next proactive phase to better secure websites, intranet communications, and applications. Organizations need to develop a migration plan for any SHA-1 end-entity SSL certificates that expire after January 1, 2017 and SHA-1 code signing certificates that expire after January 1, 2016.
To make this transition as easy as possible below are a few helpful resources:
Use a Test Certificate to ensure you can support SHA-2.
Tools for generating a new CSR for a compliant certificate.
Easily determine the key size and hash of your certificates.
Learn how to install a certificate on a variety of servers.
Track and manage all SSL/TLS certificates in your ecosystem.
Q: Will having SHA-1 certificates after December 31st, 2016 affect website security?
A: Websites that do not conform to Microsoft’s policy may not be accessible with Internet Explorer.
Q: What should I do?
Customers should take inventory of their certificates and plan on migrating SHA-1 SSL and code signing certificates to SHA-2 before January 1, 2017. Customers are entitled to a credit for any unused validity left on the SHA-1 certificate. If assistance is required, customers may contact the Symantec support team
. SHA-1 certificates can still be issued but they are not to exceed December 31, 2016.
Q: Can I get a refund for any unused validity?
A: Yes, any unused validity on a certificate that can’t be transferred to a new certificate is entitled to a unit refund.
Q: Is SHA-1 still safe? Why do customers need to migrate?
A: CA/B Forum and industry leaders are proactively looking for ways to help customers secure their environments and infrastructure. SHA-1 has been a widely accepted industry standard and enjoyed strong ubiquity, however, SHA-2 contains a number of improvements to strengthen security, and the National Institute of Standards (NIST) has recommended its use instead of SHA-1.
Q: What is Symantec doing in response to this?
A: SHA-2 end-entity certificates are currently available. SHA-2 intermediate certificates will be available by Spring, 2014. SHA-2 certificates will be the default option all consoles in the near future. We are providing communication, resources, and technical support to assist our customers through this migration.
Q: Does Symantec offer a SHA-2 test certificate?
A: Yes, a test certificate can be found at https://ssltest39.ssl.symclab.com. Symantec recommends running a compatibility test on clients communicating with servers using SHA-2 certificates by connecting to this site.
Q: Will this affect Code Signing certificates?
Yes, code signing certificates are also affected by this migration, but we recommend code signing users read Microsoft’s announcement
Q: When should customers migrate?
A: Customers should renew with SHA-2 end-entity and intermediate certificates when they become available in Spring, 2014. Customers should focus on migrating their remaining certificates before December 31, 2016.