Skip to main content Skip to main content Windows Experience Devices Windows Developer Microsoft Edge Windows Insider Microsoft 365 Microsoft 365 Azure Copilot Windows Surface Xbox Deals Small Business Support Windows Apps Outlook OneDrive Microsoft Teams OneNote Microsoft Edge Moving from Skype to Teams Computers Shop Xbox Accessories VR & mixed reality Certified Refurbished Trade-in for cash Xbox Game Pass Ultimate PC Game Pass Xbox games PC games Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 for business Microsoft Power Platform Windows 365 Small Business Digital Sovereignty Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Microsoft Rewards Free downloads & security Education Gift cards Licensing Unlocked stories View Sitemap
November 18, 2016
Mobile

SHA-1 deprecation countdown



The SHA-1 hash algorithm is no longer secure. Weaknesses in SHA-1 could allow an attacker to spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web. Microsoft, in collaboration with other members of the industry, is working to phase out SHA-1. We have outlined our timeline for SHA-1 deprecation in earlier posts, most recently in April. This post is to clarify some of our most commonly asked questions, and to help you test ahead of time.

Update (4/26/2017): Starting on May 9, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Additionally, the Windows 10 Creators Update blocks SHA-1 by-default in the browser. Customers who would like to disable SHA-1 today may do so with the instructions below.

This will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend for all customers to quickly migrate to SHA-256.

Additional information on Microsoft’s overall SHA-1 deprecation plans can be found on TechNet.

Screen capture showing Microsoft Edge when browsing to a site protected with a SHA-1 certificate
Microsoft Edge will display an invalid certificate warning when browsing to a site protected with a SHA-1 certificate

Frequently asked questions

How can I disable SHA-1 today?

You can disable SHA-1 today test by running the following commands from an Administrator Command Prompt:

First, create a logging directory and grant universal access:

[code language=”powershell”]
set LogDir=C:Log
mkdir %LogDir%
icacls %LogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
icacls %LogDir% /grant *S-1-1-0:(OI)(CI)(F)
icacls %LogDir% /grant *S-1-5-12:(OI)(CI)(F)
icacls %LogDir% /setintegritylevel L
[/code]

Next, enable certificate logging and SHA-1 blocking:

[code language=”powershell”]
Certutil -setreg chainWeakSignatureLogDir %LogDir%
Certutil -setreg chainWeakSha1ThirdPartyFlags 0x80040004
[/code]

Important: Use the following commands to remove the settings after you have completed your testing.

[code language=”powershell”]
Certutil -delreg chainWeakSha1ThirdPartyFlags
Certutil -delreg chainWeakSignatureLogDir
[/code]

How will other Windows applications and older versions of Internet Explorer be impacted?

Third party Windows applications that use the Windows cryptographic API set and older versions of Internet Explorer will not be impacted by the mid-2017 changes by-default.

How will SHA-1 client authentication certificates be impacted?

The mid-2017 update will not prevent a client using a SHA-1 signed certificate from being used in client authentication.

What about cross-signed certificates?

Windows will only check if the thumbprint of the root certificate is in the Microsoft Trusted Root Certificate Program. A certificate cross-signed with a Microsoft Trusted Root that chains to an enterprise/self-signed root would not be impacted by the changes planned for mid-2017.

― Alec Oot, Senior Program Manager
― Jody Cloutier, Senior Program Manager

Tags:
Announcements
Deprecated Features
Security
SHA-1
Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads