Microsoft Ends SHA-1 Certificate Support: Where's the Lock Button?

Share this:

LITTLE ROCK, AR, July 12, 2016 — Today Windows 10 users will notice Microsoft Edge and Internet Explorer will no longer consider websites protected with a SHA-1 certificate as secure and will remove the lock icon from the address bar for these sites. For now, these sites will continue to work but will not be considered secure; though starting in February 2017, both Microsoft Edge and Internet Explorer will block SHA-1 signed TLS certificates.

Microsoft accelerated their plans to force this migration from a previous target of November 2017. This has caught a lot of organizations off guard and reinforces the need for urgent action to avoid business and customer loss. “For many organizations this is frankly a colossal task given the number of CAs, certificates, and business critical applications that depend on digital certificates,” explains John Joyner, Microsoft MVP for Cloud and Datacenter Management and Senior Director, Technology at ClearPointe.

Secure Hash Algorithm “SHA-1”, the standard for many years and the default for Microsoft CAs, is being deprecated globally as a technology. SHA-1 cryptography has been found to carry more risks than previously recognized, and enterprises and governments need to migrate to the secure “SHA256” algorithm quickly. “ClearPointe has used Microsoft CAs to federate its global remote monitoring and management solutions for over 15 years,” added Joyner. “We have been working with some of the world’s largest private CAs to migrate safely to new PKI infrastructures that are highly available, performant, and secure using SHA256 technology in preparation for the 2017 cutoff.”

Migration efforts are often complicated by legacy PKI infrastructures in large organizations that are complex, poorly understood or documented, and contain rogue or silo’ed standalone and duplicate enterprise CAs. The presence of, or need to introduce or upgrade Hardware Security Modules (HSMs) for PKI key storage in the most security-conscious organizations complicates migration planning even further. 

“Virtually every large-scale organization in the world hosting their own Public Key Infrastructure (PKI) Certificate Authority (CA) and issuing their own digital certificates needs to complete a migration from a legacy CA based on the SHA-1 to the SHA256 cryptographic algorithm,” said Joyner. 

Mobile Device Management (MDM) apps such as AirWatch and Microsoft Intune, many office Wi-Fi appliances (including Cisco and Meraki) and apps, load balancers (such as and F5 and Citrix NetScaler) and proxy servers, and all Microsoft System Center Configuration Manager (SCCM) clients will be affected.

ClearPointe is a proven industry leader in PKI and CA architecture, deployment and management including planning and project management. ClearPointe is a privately owned technology company with customers in every time zone around the world. 


Malina Vibhakar | 501.801.7795 |

Topic: Security

Press Releases