Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Updated April 26, 2017 5:10: https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/
- Frequently asked questions
- How can I disable SHA-1 today?
- You can disable SHA-1 today test by running the following commands from an Administrator Command Prompt:
- First, create a logging directory and grant universal access:
- 1 set LogDir=C:\Log
- 2 mkdir %LogDir%
- 3 icacls %LogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
- 4 icacls %LogDir% /grant *S-1-1-0:(OI)(CI)(F)
- 5 icacls %LogDir% /grant *S-1-5-12:(OI)(CI)(F)
- 6 icacls %LogDir% /setintegritylevel L
- Next, enable certificate logging and SHA-1 blocking:
- 1 Certutil -setreg chain\WeakSignatureLogDir %LogDir%
- 2 Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80040004
- Important: Use the following commands to remove the settings after you have completed your testing.
- 1 Certutil -delreg chain\WeakSha1ThirdPartyFlags
- 2 Certutil -delreg chain\WeakSignatureLogDir
- How will other Windows applications and older versions of Internet Explorer be impacted?
- Third party Windows applications that use the Windows cryptographic API set and older versions of Internet Explorer will not be impacted by the mid-2017 changes by-default.
- How will SHA-1 client authentication certificates be impacted?
- The mid-2017 update will not prevent a client using a SHA-1 signed certificate from being used in client authentication.
- What about cross-signed certificates?
- Windows will only check if the thumbprint of the root certificate is in the Microsoft Trusted Root Certificate Program. A certificate cross-signed with a Microsoft Trusted Root that chains to an enterprise/self-signed root would not be impacted by the changes planned for mid-2017.
- ? Alec Oot, Senior Program Manager
- ? Jody Cloutier, Senior Program Manager
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement