NetFort Tips & Tricks: SHA-1 expire time has arrived, it's time to migrate to SHA-2

  • 1
  • Idea
  • Updated 2 years ago
Effective Tuesday January 24th 2017, Mozilla's Firefox browser will be the first major browser to display a warning to web visitors who visit a site that doesn't support TLS certificates signed by the SHA-2 hashing algorithm. More reading here  

Background to the SHA-1 changes

The Secure Hash Algorithm is a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS). SHA-1 is a 160-bit hash function which resembles the earlier MD5 algorithm. Cryptographic weaknesses were discovered in SHA-1, and the standard was no longer approved for most cryptographic uses after 2010.

It is recommended that you don’t use SHA-1 certificates past 2016 for a number of reasons:
  • Google is planning to penalize sites that use SHA-1 certificates that expire during 2016 and after
  • Microsoft is to retire support for SHA-1 certificates in the coming months. Sites using SHA1 will be blocked effective January 2017
  • Browser vendors are shutting down support for SHA-1 digital certificates
What you need to do right now

If you are running public facing web services, then this problem may seem obvious. However, many network devices such as printers run web engines, so the SHA-1 issue will impact on nearly all computer networks. The advice is to spend some time looking at the problem now, rather than wait for user complaints in 2017.

At a minimum, we recommend the following:

  1. Inventory your existing certificates with LANGuardian which has SHA-1 reporting built-in. SSL inventory enables LANGuardian to run several useful checks against SSL server configurations. LANGuardian can detect the following:
  • Expired certificates
  • Certificates which are about to expire
  • Certificates with weak signature algorithms (MD5/SHA-1)
     2. Replace SHA-1 certificates that expire after 2015. This may require a new server platform as operating systems such as Windows Server 2003 are not able to support SHA-256 certificates.

     3. Ensure new certificates and their chains are based on SHA-2.

Our blog post here offers some additional reading on this topic.
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 393 Posts
  • 8 Reply Likes

Posted 2 years ago

  • 1

Be the first to post a reply!