1

I have a website with about 60,000 paying customers 3000 of them use windows XP + IE 8. I want to have a certificate that would serve all of my clients (or multi-certificate solution). the issue is that SHA-1 is deprecated so I want to move to SHA-2, but Windwos XP (pre-service pack 3) doesn't support SHA-2.

So I am looking for a solution to serve both SHA-2 for modern browsers and SHA-1 for my really annoying customer who still uses XP + IE 8. Any idea?

Thanks!!

michael haberman
  • 23
  • 2
  • according to http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx most if it should work, provided the machines are running XP SP3 – Timothy Groote Nov 03 '15 at 16:14
  • That is correct but I can't tell which service pack is installed on the client machine, and I have 3000 Windows XP users in my website surly some of them doesn't have XP SP3 – michael haberman Nov 03 '15 at 16:25

1 Answers1

1

There isn't any reliable way to get your 3000 users with XP SP2 to have SHA2 support. A power user might be able to hack up something by replacing crypt32.dll and rsaenh.dll with patched versions, but it's definitely not a supportable solution.

Read the answers to this question for some more details: https://superuser.com/questions/802693/sha2-support-for-windows-xp-sp2-any-hotfix-or-dll-available

Community
  • 1
  • 1
David Ostrovsky
  • 2,461
  • 12
  • 13