SHA-1 SSL Deprecation - Move to self signed?

In my work environment we use a trusted CA for our internal SSL certs, and currently using SHA-1. A current project has me researching SHA-2 as part of the SHA-1 deprecation, and I am wondering why we don't just use our own self-signed ssl certificates if all it is used for is internal server to server communication? I am doing some research and I am quite confused as to the exact date Microsoft will stop accepting SHA-1 certificates. See google search link below. (Does this pertain to both desktop and server OS's?)

I am under the impression that Windows (desktop and server OS) will prompt our users to trust the certificate on 1/1/2017 if the ssl certificate is SHA-1.

Can someone please clarify what is going to happen once SHA-1 is deprecated, "as per Microsoft"?

Google Search

Thank you in advance!!!
nightshadzAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nightshadzAuthor Commented:
I want to add, the reason why we want to continue to use SHA-1 is due to internal applications interfacing with an IBM TDS LDAP that exports and provides certs to said applications.
0
Dave BaldwinFixer of ProblemsCommented:
It isn't just Microsoft, it is the entire industry.  There is probably an upgrade to your "IBM TDS LDAP" to accommodate that.
0
nightshadzAuthor Commented:
There is an upgrade to the LDAP, but it's also an issue of what type of ssl certificates do we need to use? If it's SHA-2, then that widens the scope of this project significantly, as some systems using IBM's GSKIT 7 will not accept SHA-2.

Please let me know if you have anything to add to my comment. I will leave the question open for a day or two.

Thank you!
0
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

Dave BaldwinFixer of ProblemsCommented:
Only that systems that won't accept SHA-2 will eventually be out of business.  The industry has also started refusing to issue 'internal' certificates for web sites.  I don't know if that affects what you are doing but you might was to check with Digicert https://www.digicert.com/ and Verisign http://www.verisign.com/ to see if you can still get the certificates that you need in the future.
0
nightshadzAuthor Commented:
It does affect what we are doing and it hit us very hard. It's funny you mention "the industry" lol. Before Verisign decided to stop issuing SHA-1 in favor of SHA-2, they  issued us SHA-1 (late 2014) for our DEV environment as our DEV ssl certs were a few months near expiration. When we made the same request for PROD a few months later, they gave us SHA-2 but never told us and we were wracking our brains wonder why they wouldn't import... and it was because IBM's GSKIT 7 won't accept SHA-2. This was a huge problem.

So my main question is, can we "self-sign" SHA-1 and be ok until 1/1/2017 if all we are using the certs for is internal server use? What happens after 1/1/2017 and we are still using self-signed SHA-1?
0
Dave BaldwinFixer of ProblemsCommented:
There have been several similar questions on this here.  The first time I heard of this was when someone couldn't get an internal certificate from Godaddy because they said the industry doesn't issue them anymore.  I don't really know the answer.  Self-signed certificates have their own problems in that they have to be 'approved' when they are first encountered as a security exception.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.