In November of 2013, Microsoft indicated that Windows would not accept certificates using SHA-1 as valid starting in 2017. Most certificates expire after 1-3 years providing ample time to update existing certificates during normal renewal processes.
I just received a notification that Google Chrome will start marking web sites using certificates with SHA-1 as invalid starting in November 2014 if the expiry date of that certificate is after 2015. That is a much faster time frame.
A review of our clients has revealed that only one certificate is using SHA-1 at this time. All of the others are using SHA-256 (one of the larger set of SHA-2 algorithms). For this one client, we need to rekey the certificate to use the new algorithm.
Specific instructions for rekeying vary depending on your SSL provider.
Some potential issues with SHA-2:
- If you have legacy servers such as Windows Server 2003, you need to update them to support SHA-2 by installing a hotfix (http://support.microsoft.com/kb/968730). This is required for Exchange 2003 servers if you have them or older web servers.
- If you are using GoDaddy digital signing certificates, the Java security store does not automatically trust the SHA-2 based certificates yet. Apparently, this is in the works and will be complete within the next few months. So, in the short term you may want to keep SHA-1 for that purpose. The Chrome change in November 2014 won't affect Java signing.
References:
- https://garage.godaddy.com/webpro/security/google-chrome-phasing-ssl-certs-using-sha-1/
- http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
No comments:
Post a Comment