SHA-1 EOL

Document created by Alex Balford Employee on Aug 11, 2016Last modified by Alex Balford Employee on Nov 14, 2016
Version 4Show Document
  • View in full screen mode

What is changing?

  • On or about October 31, 2016 Akamai will update the SHA-1 cert on the Freeflow (shared cert) network.  The new cert will have a new trust chain and an expiration date of December 27, 2016, after which Akamai will no longer provide SHA-1 support on the Freeflow network, and only SHA-2 will be provided.

What is this all about?

  • SHA-1 is a cryptographic hash function that may be part of the certificate exchange when setting up an HTTPS session.  To increase security across the internet, the CA/Browser Forum has deprecated the use of SHA-1 certificates, and as of December 31 2015 no SHA-1 certificates could be issued by Certificate Authorities.   This is not an Akamai-specific constrain.   Consequently, once existing SHA-1 certificates expire there are no means by which to renew them.  SHA-1-only clients attempting to initiate a secure connection will be denied.
  • Akamai’s SHA-1 certificate for the Shared Cert (HTTPS over FreeFlow) has an expiration in early November 2016.  A different SHA-1 cert with an expiration of December 27 2016 will be put in place a few days prior to that.   
  • As of December 27 2016 many/most modern browsers may refuse SHA-1 certs regardless of their expiration date.  SHA-1-only clients attempting to initiate a secure connection will be denied.  Even if Akamai were able to deploy a cert with a later expiration date, some clients (eg current versions of Chrome) will refuse to accept a SHA-1 cert which expires later than December 27, 2016. 
  • This change will impact older browsers and clients that do not support SHA-2.  These clients may be more prevalent in emerging markets (eg in Japan where feature phones enjoy popularity), and with dedicated device such as televisions and set-top boxes.

What do customers need to do?

  • Customers must have a plan that will result in their clients no longer requiring SHA-1 on the shared cert after December 27, 2016.  Specifically, all clients must support SHA-2 by that time.  Again, this is not an Akamai requirement, this is an industry-driven security requirement.
  • In order to ensure they can take advantage of the new SHA-1 cert that will be in place between October 31 and December 27, a test environment with the new cert will be provided prior to that.
  • In order to ensure that their clients/browsers will operate as desired in a SHA-2-only environment, a test environment will be provided.
  • For more info please contact your Akamai account representative, and refer to SHA-1 related threads on Akamai Community.

 

How can I test to make sure browsers and other client devices can still access my site(s) after the SHA-1 End of Life?

  • sha2-only.akamaized.net has no sha-1 cert.  Customers can use this resource to confirm their clients can use sha-2 without falling back to sha-1.  Test by spoofing to the IP returned by resolving that hostname.
  • https://www.akamai.com currently supports sha-2 but not sha-1, so it provides an easy site for customers to test clients against (without doing spoofing).
2 people found this helpful

Attachments

    Outcomes