SHA-1 Decommissioning
The SHA-1 hashing algorithm for the Microsoft Root Certificate Program is being decommissioned
Introduction
This post contains information related to SharePoint Server technologies and associated certificates using the SHA-1 hashing algorithm.
More Information
On November 12, 2013, Microsoft Security Advisory 2880823 announced a policy change regarding the Microsoft Root Certificate Program: root certificate authorities will no longer be allowed to issue X.509 certificates using the SHA-1 hashing algorithm for SSL and code-signing purposes after January 1, 2016. As mentioned in the announcement, using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
In conjunction with Microsoft’s announcement about SHA-1, Google published recently that Chrome browser builds would gradually sunset SHA-1 certificate support beginning in September 2014. Go to Gradually Sunsetting SHA-1 for more details.
For customers administering SharePoint Server on-premise environments such as SharePoint 2013 or 2010, users visiting SharePoint sites through the Google Chrome browser will be affected by Google’s notice concerning Chrome browser changes when visiting sites using SHA-1 certificates, including SharePoint sites. Those Chrome users will find that Chrome categorizes SHA-1 sites as “secure, but with minor errors”, “neutral, lacking security”, “active mixed content”, and “affirmatively insecure”.
To avoid issues associated with SHA-1 certificate deprecation, Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2. Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity.
For more information about SHA-1 deprecation, visit the following Microsoft websites:
Microsoft Security Advisory 2880823
SHA1 Deprecation Policy
POST BY : Bryan Petersen [MSFT]
Comments
- Anonymous
November 12, 2014
Hello Bryan, We are using FAST Search for SP2010 and User Profile Services use SHA1 for communication, how will the SHA1 deprecation policy affects these services?