Transitioning to SHA-256 certificates
SHA-2 consists of a family of cryptographic hashing algorithms developed by NIST (National Institute of Standards and Technology) to replace the aging SHA-1 hashing algorithm which may have mathematical weaknesses.
As your security partner, we’ll support the deprecation of SHA-1 and the transition to SHA-256, the most widely supported of the SHA-2 hashing algorithms. We will be working closely with all customers to ensure a seamless transition. The first step in the process is the availability of SHA-256 SSL Certificates by March 31th 2014.
This article defines the important milestones for the introduction of SHA-256 SSL Certificates and the depreciation of SHA-1 SSL Certificates.
Important dates for the end of support for SHA-1
|January 1, 2016||Microsoft will cease trusting Code Signing Certificates using SHA-1|
|January 1, 2017||Microsoft will cease trusting SSL Certificates using SHA-1|
|July 2015||Microsoft will revisit the above dates, and potentially accelerate if deemed appropriate|
While the CA/Browser Forum has not yet specified SHA-256 in their Baseline Requirements, Microsoft is driving the industry to the January 2017 date when they will stop trusting all SHA-1 Certificates issued under public roots. TRUSTZONE is tracking the status within the CA and Browser industry as well as within security forms and will keep our customers up to date on any milestone changes, or on credible advances in breaking SHA-1.
Trustzone customers should be aware of the following event dates
|March 31, 2014||TRUSTZONE enables and recommends SHA-256 during the SSL ordering process.|
|March 31, 2014||TRUSTZONE customers can reissue existing SHA-1 Certificates from our SHA-256 Root, free of charge, and at any point during the validity period of the Certificate.|
|March 31, 2014||New Certificate applications opting to use SHA-1 will be limited to a maximum Certificate validity period of 3 years. TRUSTZONE will monitor the SHA-1 risks and deprecation situation with Microsoft and other vendors and may reduce validity periods in subsequent years.|
|January 2016||TRUSTZONE will disable all SHA-1 issuance options (subject to change based on updated Microsoft guideline).|
Known issues with compatibility
Most applications, servers and browsers support SHA-256. However, some older operating systems such as Windows XP prior to Service Pack 3, and some mobile devices do not. Before the SHA-1 algorithm is formally deprecated by Microsoft, it is important to ensure your organization and those relying on your infrastructure are benefiting from SHA-256 support by installing the latest version of the application or browser, and applying all known security updates to your operating system.
SHA-256 Support in Windows:
Microsoft Root Embedding Program Requirements: