locked
How will Microsoft/IE treat SHA1 certificates after 2016? RRS feed

All replies

  • According to this announcement - http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx - Microsoft Windows 7 higher will no longer support code signed with SHA-1 beginning January 1, 2016.  Server authentication certificates, e.g. web server certificates that enable HTTPS, that are issued using SHA-1 will no longer be supported in January 1, 2016.
    • Edited by 2c00L Tuesday, December 15, 2015 9:40 PM
    Tuesday, December 15, 2015 9:40 PM
  • The hotfix that added SHA2 certificate support to Win 7 included KMCS.


    Tim Roberts, Driver MVP Providenza & Boekelheide, Inc.

    Friday, December 18, 2015 11:20 PM
  • Going back to the original question of "how IE will treat sites that still supply SHA1 certs to the browsers", IE will still accept the certificate until the certificate expires and no warnings/errors will be shown. 

    I've tested it with IE11 via https://badssl.com/ 

    1. signed using SHA-1 and expires on Dec. 29, 2016:

    https://sha1-2016.badssl.com/

    2. signed using SHA-1 and expires on Jan. 5, 2017

    https://sha1-2017.badssl.com/

    Looking at the certificate information in IE will show that "The certificate is OK" unlike in Chrome where the lock icon will be marked red and tell users that the site has weak security configuration 

    Wednesday, February 10, 2016 2:06 AM
  • Sanchez, good site. Can you get another test setup up for a SHA1 cert issues after January 1st 2016? Also, could you fix the issue with incomplete chain (the chain looks good in IE and Chrome). Thanks.
    Monday, April 4, 2016 3:58 PM
  • According to this announcement - http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx - Microsoft Windows 7 higher will no longer support code signed with SHA-1 beginning January 1, 2016.  Server authentication certificates, e.g. web server certificates that enable HTTPS, that are issued using SHA-1 will no longer be supported in January 1, 2016.
    So if I'm reading that site correctly, if you have a site using an SHA1 cert from a CA like Verisign IE will no longer show it as secure starting Jan 1st 2017. However if your SHA1 cert is from an internal CA like an intracompany Root Certificate it will be fine even if that root certificate is SHA1 too?
    Wednesday, September 28, 2016 2:13 PM