Major browsers have started removing support for SHA-1 certificates, as is the case with the latest Google Chrome 56, Mozilla Firefox 51, and Internet Explorer 11 versions. As a result, you might experience behavior changes with affected browsers, as follows:
- Chrome displays a "not secure" message and a red warning triangle, and 'https' crossed out. If you click it, a message explains "Your connection to this site is not secure. You should not enter any sensitive information."
- Internet Explorer 11 omits the padlock icon at the right of the address bar and shows 'https' in gray rather than black. This is not very noticeable.
- Mozilla Firefox blocks the page and displays a "This Connection is Untrusted" message. To continue, you must add an exception. After you add the exception, the browser displays a yellow warning triangle over the padlock icon.
- Microsoft Edge omits the padlock icon it shows on other secure sites. This is not very noticeable.
Upgrade the root CA to SHA256:
- Verify whether your CA is using a Cryptographic Service Provider (CSP) which only supports up to SHA-1 or Key Storage Provider (KSP) which supports SHA256. If you are using a CSP, upgrade to a KSP before continuing. Refer to the Microsoft article linked in the Additional Information section below for instructions on checking this setting and upgrading if needed.
- Upgrade the hashing algorithm to SHA256 through an elevated command line:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
- Renew the Certificate by going to MMC > Certification Authority (Local) Snap In. Right-click the CA and select Renew All Tasks > Renew CA Certificate. Select whether you want to keep the existing keys or create new ones.
- The hashing signature of the Root CA certificate should change to SHA256. Check whether the new certificate is using SHA256 by going to Certification Authority, selecting the new certificate and viewing its properties as shown below.
- Install the new SHA256 Root CA and subordinate certificates in the ProxySG appliance as described in KB article 000022680.
Note: Creating a CSR in SHA256 in the ProxySG appliance is NOT required for the Root CA server to sign the intermediate certificate with SHA256. This means you can create the CSR in SHA1, and when signed by the Root CA, it applies SHA256 to the intermediate certificate. See KB article 000022556 for details.
Imported Document Id