It seems that CA's are now issuing SHA2 certs with SHA2 all the way up the chain including the CA root. What does the policy say about SHA1 roots in the OS/browser trust stores? The way I understand it is that CA's will stop issuing end-entity SSL certs as SHA1 1/2017 but the policy really does not say how or if the OS/browser cert stores will be rid of SHA1 roots or not by that date. Does anyone know what the plans are for SHA1 roots in trust stores?
On 11/23/2014 5:06 PM, user5309 wrote:
It seems that CA's are now issuing SHA2 certs with SHA2 all the way up the chain including the CA root. What does the policy say about SHA1 roots in the OS/browser trust stores? The way I understand it is that CA's will stop issuing end-entity SSL certs as SHA1 1/2017 but the policy really does not say how or if the OS/browser cert stores will be rid of SHA1 roots or not by that date. Does anyone know what the plans are for SHA1 roots in trust stores?
-----
http://social.Technet.microsoft.com/Forums/en-US/winserversecurity/thread/ad011028-d62e-4838-b556-35b7977c3dc6#ad011028-d62e-4838-b556-35b7977c3dc6
-----
This is all I can find - https://cabforum.org/wp-content/uploads/BRv1.2.1.pdf - Section 9.4.2 -
"This Section 9.4.2 does not apply to Root CA or CA cross certificates. CAs MAY continue to
use their existing SHA-1 Root Certificates"
BUT
then I come across this:
Which says, if I am interpreting this correct that the digest algo's on roots list SHA1 as valid until Jan 2016. But down below under the "SHA1 deprecation policy" it says nothing about the actual root certs.
So now I am a bit confused.
Hi,
Does anyone know what the plans are for SHA1 roots in trust stores?
The SHA1 Deprecation Policy you mentioned only applies to CAs who are members of the Windows Root Certificate Program who issue publicly trusted certificates.
But down below under the "SHA1 deprecation policy" it says nothing about the actual root certs.
You dont have to worry about this, since when the time comes, Windows machines will download public trusted root certificates with non-SHA1 algorithm, in other words, Windows Root Certificate Program will update the trusted root certificates of public CAs.
More information for you:
SHA1 Deprecation
Best Regards,
Amy
- Proposed as answer by Amy Wang_Moderator Friday, December 05, 2014 3:17 AM
- Marked as answer by Amy Wang_Moderator Tuesday, December 09, 2014 4:20 AM
Private Enterprise PKI Root CA certificates are not affected by the deprecation policy.
Check this whitepaper that lists exactly what is affected and what is not
http://ammarhasayen.com/2015/02/02/pki-certificate-services-sha-1-deprecation/