0

SHA1 Migration - Internal CAs Upgrade Requirement

A lot of internet blogs are stating that if a SHA1 certificate is not upgraded by Jan. 1st 2017, the SSL certificate will be rejected by most sites. Now from what I understand is that this will NOT affect your internal CAs issuing certificates unless your browser shows an alert aka. Chrome. So is the upgrade time a hard deadline for organizations or is it just external SSL certificates for Bank Of America or Entrust.

Thanks

Matt L.
  • 21
  • 3
  • 1
    Looks like it **will** affect internal CAs at least where Firefox is concerned. http://security.stackexchange.com/questions/67812/how-will-sha1-deprecation-affect-internal-cas – ceejayoz Nov 17 '16 at 17:31
  • That is understood but my question lies within a question. Since we have Network Devices breaking SSL using the SHA1 certificate, will the actual Networking Device have an issue with SHA1 and cause all traffic to be questionable. Firefox and Chrome they have warnings but I need to know if this is going to break all of my Network / SSL communication. – Matt L. Nov 17 '16 at 17:48
  • 1
    @MattL.: `we have Network Devices breaking SSL using the SHA1 certificate` What does that mean? What network devices, and what are the certificate usages? – Greg Askew Nov 17 '16 at 18:46
  • The Root CA is SHA1. So Chrome and Firefox see all issued certificates from the issuing CAs as deprecated. Also our Palo Alto is doing URL Filter/SSL Inspection using the Root Certificate. On Jan 1st, 2017, will there be an impact to my users from this upgrade/change? – Matt L. Nov 21 '16 at 21:58

0 Answers0