4

SHA1 is depcrecated as of january 1st this year - at least on browsers. I have not switched my ironport certificate yet, and not my intra exchange certificate (the external ones are replaced). Will I get into trouble january 1st on my intra exchange communication that use TLS / SSL and will I get problems with mail TLS negotiations on my Ironport mx?

normarth
  • 155
  • 3
  • 4
    What specific problem are you tying to solve? In its current form, your question of s far too broad. Details are needed. – EEAA Dec 23 '16 at 19:54
  • I am wondering If I will get a problem with my services on exchange and ironport the 1st of january if I dont switch to a sha256 certificate (as my current expires in february) – normarth Dec 23 '16 at 19:58
  • Of course you will! Upgrade ;) – BaronSamedi1958 Dec 23 '16 at 20:01
  • 3
    Just get a new certificate. You should have done this long ago anyway. – EEAA Dec 23 '16 at 20:01
  • Some SSL certificate vendors already offered to upgrade a SHA1 to SHA2 cert for free (Check to reissue certificate options). My did that for example as well as the one from a customer, so I could simply upgrade without risk anything. – BastianW Dec 23 '16 at 20:11
  • i havent read that services not used by browsers are affected by this . also microsoft points to february? – normarth Dec 23 '16 at 20:13
  • 3
    Do you want to have an orderly migration, or a 3 am emergency migration? This should have been done months ago; and whether non-browser clients are affected now or not, they _will be_ soon enough. This is not going away if you ignore it long enough. You (and likely many others reading this) have ignored it too long already. – Michael Hampton Dec 23 '16 at 20:25
  • of course I don't want a 3 am emergency migration. I have 2 certificates left to change - but wanted to turn to this community to ask if its such an emergency that I have to switch it now, (within the next 7 days) or if I can wait until january as the two sha1 certificates in question expires in february. I didn't ask the question to get lectured on my priorities. :) – normarth Dec 23 '16 at 20:30
  • 3
    You probably can get away with waiting until January, assuming your priorities don't get changed from above you. But it's so quick and easy to change certificates that, from the time you began writing this question, you probably could have finished by now. – Michael Hampton Dec 23 '16 at 21:14

1 Answers1

0

You will not run into trouble as you probably have noticed. It is advisable however to upgrade your PKI server so that you can start using SHA2 certificates asap.

Jozef Woo
  • 119
  • 3
  • 14