We have previously reviewed implementation of SHA-2, but with Bruce Schneier stating the need to migrate away from SHA-1 and the SHA-1 deprecation policy from Microsoft, the industry must start to make some progress in 2014.
Web server administrators will have to make plans to move from SSL and code signing certificates signed with the SHA-1 hashing algorithm to certificates signed with SHA-2. This is the result of the new Microsoft Root Certificate Policy where Microsoft deprecates SHA-1 and imposes the following requirements:
The good news is that Windows and Internet Explorer support SHA-2. In fact, new versions of Mac OSX, Firefox, Chrome, Opera, Java and Adobe Acrobat/Reader all support SHA-2.
The bad news? Some enterprises might be running an application that does not support SHA-2. If you are unaware, you need to do some investigation or testing to see if your system supports SHA-2 and consider your migration plan.
That said, it is not over. Microsoft plans to review the deadlines in July 2015 and consider whether SHA-1 is still resistant to pre-image attacks and whether a significant portion of the ecosystem is still not capable of switching to SHA-2.
In the short term you will likely see your CA take some action, such as:
If you perform some testing and find that your application does not support SHA-2, then it would be advisable to inform your CA or Microsoft.