SHA-1 deprecation FAQs

Owned by Michael McNulty
Oct 10, 2014

Q. What will happen if my site has SHA-1 SSL certificates? 
A: Online users on websites may experience negative visual security indicators if the SHA-1 certificates are valid beyond December 31, 2015. If they are on Windows, they will not be able to access sites with SHA-1 certificates after January 1, 2017.

 

Q: What should I do?
A: Web site/Service owners using HTTPS/SSL Certificates should take inventory of their certificates and plan on migrating affected SHA-1 SSL certificates before November, 2014. Affected SHA-1 SSL certificates are certificates with validity beyond December 31, 2015. SHA-1 certificates can still be issued but they are not to exceed December 31, 2015.

 

Q: Is SHA-1 still safe? Why do I need to migrate?
A: Certification Authority/Browser (CA/B) Forum and industry leaders are proactively looking for ways to help secure web environments and infrastructure. SHA-1 has been a widely accepted industry standard, however, SHA-2 contains a number of improvements to strengthen security. In addition, National Institute of Standards (NIST) has recommended its use instead of SHA-1.

 

Q: Does SHA-1 migration apply to code signing certificates?
A: Yes. Although code signing certificates are not included in Google’s SHA-1 deprecation plan, they are affected by Microsoft’s plan.

 

Q: When should I migrate?
A: Web site/Service owners should replace certificates that expire after December 31, 2015 before November 2014.

 

Q: Can my server accept a SHA-2 Certificate?
A: Please check your server's documentation to ensure it can accept a SHA-2 certificate.

Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.