Skip to main content
April 29, 2016

An update to our SHA-1 deprecation roadmap

In November, we shared a SHA-1 Deprecation Update with some early details on our schedule for blocking SHA-1 signed TLS certificates. Today we would like to share some more details to share on how this will be rolled out.

Starting with the Windows 10 Anniversary Update, Microsoft Edge and Internet Explorer will no longer consider websites protected with a SHA-1 certificate as secure and will remove the address bar lock icon for these sites. These sites will continue to work, but will not be considered secure. This change will be in upcoming Windows Insider Preview builds soon, and will be deployed broadly this summer. In mid-2017, both Microsoft Edge and Internet Explorer will block SHA-1 signed TLS certificates.

This update will be delivered to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10, and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program. Both Microsoft Edge and Internet Explorer 11 will provide additional details in the F12 Developer Tools console to assist site administrators and developers.

Additional information on Microsoft’s overall SHA-1 deprecation plans can be found on TechNet.

Test blocking of SHA-1 TLS Certificates

You can enable logging your use of SHA1 certificates by typing the following commands into an Administrator Command Prompt. The following command does not block the use of SHA1 TLS certificates; however, it will log the certificate to the provided directory.

First Create a logging directory and grant universal access:

set LogDir=C:\Log
mkdir %LogDir%
icacls %LogDir% /grant *S-1-15-2-1:(OI)(CI)(F) 
icacls %LogDir% /grant *S-1-1-0:(OI)(CI)(F)
icacls %LogDir% /grant *S-1-5-12:(OI)(CI)(F)
icacls %LogDir% /setintegritylevel L

Enable certificate logging

Certutil -setreg chain\WeakSignatureLogDir %LogDir%
Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80900008

Use the following command to remove the settings after you have completed your testing.

Certutil -delreg chain\WeakSha1ThirdPartyFlags
Certutil -delreg chain\WeakSignatureLogDir

Additional information on these commands and other protections against weak crypto can be found here: Protecting Against Weak Cryptographic Algorithms.

– Alec Oot, Senior Program Manager
– Mike Stephens, Senior Program Manager

Update as of 7/24/2016:

The above changes to the lock icon for SHA-1 protected sites are now available on all supported versions of Microsoft Edge and Internet Explorer 11. These changes are included in the following updates: