SHA1 deprecation - what will happen to CA roots?

It seems that CA's are now issuing SHA2 certs with SHA2 all the way up the chain including the CA root. What does the policy say about SHA1 roots in the OS/browser trust stores? The way I understand it is that CA's will stop issuing end-entity SSL certs as SHA1 1/2017 but the policy really does not say how or if the OS/browser cert stores will be rid of SHA1 roots or not by that date. Does anyone know what the plans are for SHA1 roots in trust stores?

November 24th, 2014 2:06am

On 11/23/2014 5:06 PM, user5309 wrote:

It seems that CA's are now issuing SHA2 certs with SHA2 all the way up the chain including the CA root. What does the policy say about SHA1 roots in the OS/browser trust stores? The way I understand it is that CA's will stop issuing end-entity SSL certs as SHA1 1/2017 but the policy really does not say how or if the OS/browser cert stores will be rid of SHA1 roots or not by that date. Does anyone know what the plans are for SHA1 roots in trust stores?

-----
http://social.Technet.microsoft.com/Forums/en-US/winserversecurity/thread/ad011028-d62e-4838-b556-35b7977c3dc6#ad011028-d62e-4838-b556-35b7977c3dc6
-----

This is all I can find - https://cabforum.org/wp-content/uploads/BRv1.2.1.pdf - Section 9.4.2 -

"This Section 9.4.2 does not apply to Root CA or CA cross certificates. CAs MAY continue to
use their existing SHA-1 Root Certificates"

BUT

then I come across this:

http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx

Which says, if I am interpreting this correct that the digest algo's on roots list SHA1 as valid until Jan 2016. But down below under the "SHA1 deprecation policy" it says nothing about the actual root certs.

So now I am a bit confused.

Free Windows Admin Tool Kit Click here and download it now
November 24th, 2014 3:44am

Hi,

Does anyone know what the plans are for SHA1 roots in trust stores?

The SHA1 Deprecation Policy you mentioned only applies to CAs who are members of the Windows Root Certificate Program who issue publicly trusted certificates.

But down below under the "SHA1 deprecation policy" it says nothing about the actual root certs.

You dont have to worry about this, since when the time comes, Windows machines will download public trusted root certificates with non-SHA1 algorithm, in other words, Windows Root Certificate Program will update the trusted root certificates of public CAs.

More information for you:

SHA1 Deprecation

https://social.technet.microsoft.com/Forums/lync/en-US/2eed4e80-5b24-4983-87eb-6ce36ab42cee/sha1-deprecation?forum=winserversecurity

Best Regards,

Amy

November 25th, 2014 11:49am

Private Enterprise PKI Root CA certificates are not affected by the deprecation policy.

Check this whitepaper that lists exactly what is affected and what is not 

http://ammarhasayen.com/2015/02/02/pki-certificate-services-sha-1-deprecation/ 

Free Windows Admin Tool Kit Click here and download it now
February 17th, 2015 3:51am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics