What is changing?
- On or about October 31, 2016 Akamai will update the SHA-1 cert on the Freeflow (shared cert) network. The new cert will have a new trust chain and an expiration date of December 27, 2016, after which Akamai will no longer provide SHA-1 support on the Freeflow network, and only SHA-2 will be provided.
What is this all about?
- SHA-1 is a cryptographic hash function that may be part of the certificate exchange when setting up an HTTPS session. To increase security across the internet, the CA/Browser Forum has deprecated the use of SHA-1 certificates, and as of December 31 2015 no SHA-1 certificates could be issued by Certificate Authorities. This is not an Akamai-specific constrain. Consequently, once existing SHA-1 certificates expire there are no means by which to renew them. SHA-1-only clients attempting to initiate a secure connection will be denied.
- Akamai’s SHA-1 certificate for the Shared Cert (HTTPS over FreeFlow) has an expiration in early November 2016. A different SHA-1 cert with an expiration of December 27 2016 will be put in place a few days prior to that.
- As of December 27 2016 many/most modern browsers may refuse SHA-1 certs regardless of their expiration date. SHA-1-only clients attempting to initiate a secure connection will be denied. Even if Akamai were able to deploy a cert with a later expiration date, some clients (eg current versions of Chrome) will refuse to accept a SHA-1 cert which expires later than December 27, 2016.
- This change will impact older browsers and clients that do not support SHA-2. These clients may be more prevalent in emerging markets (eg in Japan where feature phones enjoy popularity), and with dedicated device such as televisions and set-top boxes.
What do customers need to do?
- Customers must have a plan that will result in their clients no longer requiring SHA-1 on the shared cert after December 27, 2016. Specifically, all clients must support SHA-2 by that time. Again, this is not an Akamai requirement, this is an industry-driven security requirement.
- In order to ensure they can take advantage of the new SHA-1 cert that will be in place between October 31 and December 27, a test environment with the new cert will be provided prior to that.
- In order to ensure that their clients/browsers will operate as desired in a SHA-2-only environment, a test environment will be provided.
- For more info please contact your Akamai account representative, and refer to SHA-1 related threads on Akamai Community.
How can I test to make sure browsers and other client devices can still access my site(s) after the SHA-1 End of Life?
- sha2-only.akamaized.net has no sha-1 cert. Customers can use this resource to confirm their clients can use sha-2 without falling back to sha-1. Test by spoofing to the IP returned by resolving that hostname.
- https://www.akamai.com currently supports sha-2 but not sha-1, so it provides an easy site for customers to test clients against (without doing spoofing).
2 people found this helpful