PKI Certificate Services SHA-1 Deprecation

So everyone one is talking about SHA-1 and how it becomes less secure hash function. People are talking about a quick phase out and move to more secure alternative. So what’s the story?

I would like to share with you my own thoughts and research in the whole SHA1 being insecure and the need to go to another alternative. I will also talk in future posts about how to migrate your Microsoft PKI to support the new SHA-2 hash function.

But i cannot start talking about how to solve the problem before spending some time analyzing the current situation and talking about some cryptography theories. It is hard to jump to conclusions and solutions if you are not fully aware of the current situation.


This blog post is moved to my new blog platform here:

11 comments on “PKI Certificate Services SHA-1 Deprecation

  1. I believe from listening to Security Now, that Google are aggressively pushing SH1 notices via Chrome this year. No word as yet what the warning will be when visiting such a site.

  2. Pingback: Cryptographic Providers: SHA-1 & SHA-2 support | Ammar Hasayen - Blog

  3. Pingback: SHA-2 Support – Migrate your CA from CSP to KSP | Ammar Hasayen - Blog

  4. Pingback: What makes a CA capable of issuing certificates that uses SHA-2? | Ammar Hasayen - Blog

  5. Pingback: SHA-1 Broken, Migrating to SHA-2 | Ammar Hasayen - Blog

  6. Pingback: Deploy Offline Root CA in Windows 2012 R2 – SHA-2 Ready | Ammar Hasayen - Blog

  7. Pingback: My readings in 2015 week 45 | My path to become awesome dev

  8. Pingback: Active Directory Certificates Services – quelle architecture dois-je déployer ? – La communauté METSYS

  9. Thanks for a very well written article. It was easy to follow despite the complexity of the topic. I have a question: how about the impact of SHA-1 deprecation on client-side certificates for mutual TSL authentication? If a website is already using SHA-2 certificate, can users still continue authenticate themselves to that website using SHA-1 personal certificates (that are already in their Windows certificate stores) after 2016? Is there an urgency to transition SHA-1 personal certificates to SHA-2 in view of the deprecation policies of Microsoft and Google?

  10. To ” it is impossible (not possible in reasonable time) to find two messages that hash to the same hash value.”:

    To my knowledge that is true only for files with the same size!
    E. g. if one file has 10 bytes lenth and another one has 25 bytes chances are that they can get the same hash result value.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s