Microsoft Edge and Internet Explorer will block SHA-1 signed TLS certificates in 2017

2 minute read

Home » News » Microsoft Edge and Internet Explorer will block SHA-1 signed TLS certificates in 2017

We’ve long known that Microsoft was planning on blocking SHA-1 signed TLS certificates but recently, the company shared more details on the matter. Apparently, both Microsoft Edge and Internet explorer will both block SHA-1 signed TLS certificates beginning on February of 2017.

When the Anniversary Update rolls out, Microsoft Edge and Internet Explorer will no longer consider web pages protected with SHA-1 as secure. The lock icon in the address bar will be removed to indicate this, so any website with SHA-1 signed TLS will have to make some important changes before Microsoft rolls out this new update.

This update will be delivered to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10, and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program. Both Microsoft Edge and Internet Explorer 11 will provide additional details in the F12 Developer Tools console to assist site administrators and developers, according to Microsoft.

Developers will want to know how to test block their SHA-1 signed TLS certificates. The following information will log your SHA1 certificates, so don’t expect your certificates to be blocked.

First Create a logging directory and grant universal access:

set LogDir=C:\Log
mkdir %LogDir%
icacls %LogDir% /grant *S-1-15-2-1:(OI)(CI)(F) 
icacls %LogDir% /grant *S-1-1-0:(OI)(CI)(F)
icacls %LogDir% /grant *S-1-5-12:(OI)(CI)(F)
icacls %LogDir% /setintegritylevel L

Enable certificate logging

Certutil -setreg chain\WeakSignatureLogDir %LogDir%
Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80900008

Use the following command to remove the settings after you have completed your testing.

Certutil -delreg chain\WeakSha1ThirdPartyFlags
Certutil -delreg chain\WeakSignatureLogDir

Microsoft has an entire web page explaining the need for this move among other things aimed at the developer crowd.

RELATED STORIES YOU NEED TO CHECK OUT:

Discussions

Next up

FIX: Outlook 2016 does not support setup for Exchange accounts

Tashreef Shareef avatar. By: Tashreef Shareef
2 minute read

Microsoft Outlook 2016 does not support manual setup for an Exchange account directly from the add accounts interface. The add account now has only two […]

Continue Reading

Xbox Live won’t work on child account? Here are the 2 ways fix it

Tashreef Shareef avatar. By: Tashreef Shareef
2 minute read

To prevent fraud and protect children from the online threat Xbox allows the parents to create Child account with restrictions. However, the parents can share […]

Continue Reading

Microsoft contractors might also listen to Xbox One commands

Vlad Turiceanu By: Vlad Turiceanu
2 minute read

Recently, it has been revealed that Microsoft contractors are listening to users through Cortana and Skype Translator. This piece of information created a lot of […]

Continue Reading