Impact of SHA1 Certificate Deprecation - McMap

About

Impact of SHA1 Certificate Deprecation

Asked 14/11, 2016 at 21:34 Answered 14/11, 2016 at 21:45

Solved certificate sha1 sha256 client-certificates certificate-authority

C

1

1

I am currently developing in an environment where EAP-TLS authentication is being used on an embedded WiFi radio. On that radio, we load multiple certificates for authentication (a client certificate, a private key file for the client, and a root CA certificate). I have recently come across this Windows Blog post and a few other posts about the deprecation of the SHA1 hash algorithm for certificate signing.

My main question/concern is that the radio that I am using does not support the use of any certificates stronger than SHA1 (no SHA2 support at all) and I wanted to know if EAP-TLS and other 802.1X methods are going to be affected by this shift to SHA2. Will CAs (either the Root CA if the customer created their own or the Intermediate CA, in the case that my customers use a third party Root CA) be able to issue SHA1 certificates still or will that be stopped as well?

I appreciate any help and support regarding this issue.

Coughlin answered 14/11, 2016 at 21:34 Comment(1)

See also stackoverflow question which Root CA still issues sha1 ssl certificates? – Filariasis 20/11, 2016 at 13:24

G

2

SHA1 deprecation policy in Microsoft products affects only certificates issued by members of Trusted Root Program. SHA1 will continue to work for certificates issued by private CAs: http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx

Geier answered 14/11, 2016 at 21:45 Comment(2)

CryptoGuy: Thank you very much for the response and the article. This assuages my fears that our current product will no longer work after February. I have one other question pertaining to this. Do you know if a certificate issuing Root CA or Intermediate CA that is on SHA2 already is able to issue SHA1 certificates or would a second Intermediate CA on SHA1 be needed? – Coughlin 15/11, 2016 at 13:39

Technically, it is possible. However, for compatibility purposes I would strongly suggest to run separate PKI trees, where one tree will serve SHA1 certificates for legacy clients (that doesn't support SHA2) and SHA2 certificates for modern clients. – Geier 15/11, 2016 at 17:20

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.