Windows Enforcement of SHA1 Certificates

Since last few months there has been yellow alert from Microsoft Team on the Enforcement of SHA1 Certificates. Not only Microsoft team but also the other certificate provider and browsers too. Although most of the public SSL has already using SHA2 or we say SHA256, still there might be some private certificate with SHA1. Hence this blog is for the knowledge of details on deprecation of SHA1 certificate. The Enforcement process has been started from Feb 2017. On February 14, 2017, Microsoft will release an update to Microsoft Edge and Internet Explorer 11 that will display an Invalid Certificate warning page alerting users that their connection is not secure. Though we do not recommend it, customers have the option to continue to the website.

The Enforcement of SHA1 Certificates may impact all the application like Exchange, Lync, System Center, SharePoint, etc. which uses https services. For detail, you can visit to this link which Microsoft has shared the knowledge of it.

In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST.SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long.


SHA – standing for secure hash algorithm – is a hash algorithm used by certification authorities to sign certificates and CRL (certificates revocation list). Introduced in 1993 by NSA with SHA0, it is used to generate unique hash values from files.

Example: A file hashed with SHA1 could look like:

As for any cryptographic solution, SHA must evolve along with our computers’ calculation capacities in order to avoid any weakness. There are, therefore, several versions of SHA: SHA0 (obsolete because vulnerable), SHA1 (the most popular one), SHA2 (the one we are interested in) and finally SHA3 introduced in 2012.


SHA2, not often used for now, is the successor of SHA1 and gathered 4 kinds of hash functions: SHA224, SHA256, SHA384 and SHA512. It works the same way than SHA1 but is stronger and generate a longer hash.

Hash attacks, SHA1 and SHA2

There are 2 kinds of attacks specific to hash:

  • A collision: there is collision when 2 different files produce an identical hash. It is then possible to substitute a file for another. In our domain of expertise, we could then imagine to replace an official certificate by a fraudulent one having the same hash values. SHA0 is not resistant to collision attacks, that is the reason why it is not used anymore.
  • the pre-image: one needs to distinguish pre-image from first-preimage. The first one consists of ‘guessing’ a file value from its hash. The other one uses a hash to create a value different from the one that has been used to generate the hash.

Still the question will be, then what will happen after February 2017. So Here is the summary that could help you.


  Today February 14, 2017
TLS Server-Authentication Certificates No lock icon Microsoft Edge and Internet Explorer 11 Invalid Certificate
Code Signing Certificates Unaffected Unaffected
Timestamping Certificates Unaffected Unaffected
S/MIME Certificates Unaffected Unaffected
OCSP and CRL Signing Certificates Unaffected Unaffected
OCSP Signatures Unaffected Unaffected
OCSP Responses Unaffected Unaffected
CRL Signatures Unaffected Unaffected
Code Signature File Hashes Unaffected Unaffected
Timestamp Signature Hashes Unaffected Unaffected

For Detail Visit on this link.

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.