Microsoft sets Feb 2017 date to kill last SHA-1 zombies
But you've already removed it from your servers, haven't you?
Microsoft has posted the next step in its deprecation of SHA-1 certificates, but they'll survive for nearly another year.
At that date, Microsoft's Edge Team writes, both Edge and Internet Explorer will block SHA-1 signed TLS certificates.
Before then – starting with the Windows 10 Anniversary Update (I'm going to P-A-R-T-Why? Because there's a big Windows update in the works!) – the two browsers will quit showing the lock icon for SHA-1-signed TLS certificates.
Edge on Windows 10, and IE on everything after Windows 7, will get the update, which will apply to certificates that “chain to a CA in the Microsoft Trusted Root Certificate program”, the post states.
In the meantime, to help gather data about daredevil sysadmins that have zombie SHA-1 certs shambling around yelling for brains, sysadmins can log their use of SHA-1.
After creating an appropriate directory, the following commands turn on the logs:
Certutil -setreg chain\WeakSignatureLogDir %LogDir% Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80900008
February 2017 is also the end-of-life date for anyone using SHA-1 code signing, as Microsoft announced here.
Windows 7 and higher, and Windows Server, will not trust code signed with an SHA-1 certificate time-stamped later than 00:00 UTC on February 14 2017. ®
Sponsored: Becoming a Pragmatic Security Leader