Relevant Items

Changes to Support SHA-1 Migration | BLOG

Entrust provides security beyond the TLS certificate. We are a strong supporter of the CA/Browser Forum standards and also support the requirements provided by our root embedding partners such as Microsoft and Mozilla. Over the last two years, the TLS industry has been actively migrating certificate subscribers from TLS certificates signed with the SHA-1 hashing algorithm to the SHA-256 hashing algorithm. Entrust supports this progress and actually recommended hash algorithm migration one year before the industry policy change. As shown by SSL Pulse of February 2016, 88-percent of the largest web sites have migrated over to SHA-256. Further analysis would also show that a majority of the remaining SHA-1 sites will migrate to SHA-256 by December 31, 2016. These sites are generally used by browsers, which have been supporting SHA-256 for a long period of time. However, there are still some subscribers that are still having difficulty migrating. These subscribers generally run services that need to support non-browser clients. The difficulty with these clients is that they are not managed in a similar way to browsers and are not updated on a regular basis. As such, we see payment processors and point-of-sale devices that still only support the SHA-1 hashing algorithm. Although Entrust supports the migration to SHA-256, we also see the difficulty that some subscribers are experiencing. To support these subscribers, Entrust plans to do the following:

  • Issue SHA-1 signed TLS certificates to existing customers to support non-browser clients.
  • Validate SHA-1 TLS certificates to our legacy root, Entrust.net Secure Server Certification Authority. Note that this root has been removed from the Microsoft, Mozilla and Apple root embedding programs.
  • Ensure SHA-1 signed certificates have a validity period of 1 year or less and contain entropy in the serial number or validity period.
Entrust will continue to support the migration from SHA-1 to SHA-256. Entrust does not issue SHA-1 signed SSL/TLS certificates validated to any public trust root or issuing CA that currently meets the CA/Browser Forum Baseline Requirements. As such, users of modern browsers and operating systems are not affected by the issuance of SHA-1 SSL/TLS certificates from this legacy root.