SHA-1 SSL Deprecation - Move to self signed?

In my work environment we use a trusted CA for our internal SSL certs, and currently using SHA-1. A current project has me researching SHA-2 as part of the SHA-1 deprecation, and I am wondering why we don't just use our own self-signed ssl certificates if all it is used for is internal server to server communication? I am doing some research and I am quite confused as to the exact date Microsoft will stop accepting SHA-1 certificates. See google search link below. (Does this pertain to both desktop and server OS's?)

I am under the impression that Windows (desktop and server OS) will prompt our users to trust the certificate on 1/1/2017 if the ssl certificate is SHA-1.

Can someone please clarify what is going to happen once SHA-1 is deprecated, "as per Microsoft"?

Google Search

Thank you in advance!!!
nightshadzAsked:
Who is Participating?
 
Dave BaldwinFixer of ProblemsCommented:
There have been several similar questions on this here.  The first time I heard of this was when someone couldn't get an internal certificate from Godaddy because they said the industry doesn't issue them anymore.  I don't really know the answer.  Self-signed certificates have their own problems in that they have to be 'approved' when they are first encountered as a security exception.
0
 
nightshadzAuthor Commented:
I want to add, the reason why we want to continue to use SHA-1 is due to internal applications interfacing with an IBM TDS LDAP that exports and provides certs to said applications.
0
 
Dave BaldwinFixer of ProblemsCommented:
It isn't just Microsoft, it is the entire industry.  There is probably an upgrade to your "IBM TDS LDAP" to accommodate that.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
nightshadzAuthor Commented:
There is an upgrade to the LDAP, but it's also an issue of what type of ssl certificates do we need to use? If it's SHA-2, then that widens the scope of this project significantly, as some systems using IBM's GSKIT 7 will not accept SHA-2.

Please let me know if you have anything to add to my comment. I will leave the question open for a day or two.

Thank you!
0
 
Dave BaldwinFixer of ProblemsCommented:
Only that systems that won't accept SHA-2 will eventually be out of business.  The industry has also started refusing to issue 'internal' certificates for web sites.  I don't know if that affects what you are doing but you might was to check with Digicert https://www.digicert.com/ and Verisign http://www.verisign.com/ to see if you can still get the certificates that you need in the future.
0
 
nightshadzAuthor Commented:
It does affect what we are doing and it hit us very hard. It's funny you mention "the industry" lol. Before Verisign decided to stop issuing SHA-1 in favor of SHA-2, they  issued us SHA-1 (late 2014) for our DEV environment as our DEV ssl certs were a few months near expiration. When we made the same request for PROD a few months later, they gave us SHA-2 but never told us and we were wracking our brains wonder why they wouldn't import... and it was because IBM's GSKIT 7 won't accept SHA-2. This was a huge problem.

So my main question is, can we "self-sign" SHA-1 and be ok until 1/1/2017 if all we are using the certs for is internal server use? What happens after 1/1/2017 and we are still using self-signed SHA-1?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.