Use of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

Article ID: SEC0006 Use of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

Title

Use of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

Reference

on January 1st, 2016. Microsoft deprecated the use of SHA-1 certificates 

Customers running either Internet Explorer or Microsoft Edge who download a SHA-1 signed file from the Internet that is timestamped and released on January 1, 2016, or later, SmartScreen will mark the file as not trusted. This status does not prevent customers from downloading the file or running these browsers on their computers. But customers are warned of the not trusted status of the file.

This change only affects Mark-of-the-Web (MOTW) files downloaded from the Internet. Files timestamped before January 1, 2016, will continue to be trusted. Drivers with signatures verified by Code Integrity are not affected by this change. 

Windows 7 and Windows Server 2008 systems require update 3033929 to support SHA-2 certificates. It is recommended that Commvault software users update their Windows clients with all the latest available Windows updates. 

For Commvault software:  

  • Version 11 Service Pack 3 has signed all MOTW files with the SHA-2 algortihm.  All other binaries will be changed to SHA-2 algorithm starting with Service Pack 4.
  • Version 10 files will be changed to SHA-2 algorithm later this year (2016)