Yeah - as far as I know, CA's will just stop issuing SHA1 certificates as of Jan 1 2016. Chrome (and FF probably) have been issuing 'warnings' for SHA1 certificates for quite some time now. As you said, I think the real problem (if any) will be in 2017 when Chrome and other vendors will present hard/block errors for *any* SHA1 cert.
With this being said, people should have been testing SHA2 for quite some time now. Realistically, the only clients that should have problem with it are very old (pre-SP3 XP, IE6, unpatched Windows 2003, old mobile operating systems, etc). We haven't really seen any issues other than with these old legacy clients at $job, and we have been migrating everything to SHA2 for the past year. Josh On Tue, Dec 22, 2015 at 12:47 PM, Ken Hohhof <[email protected]> wrote: > Has anyone figured out if we should expect a flood of customer calls on > January 1 related to deprecation of SHA-1 certificates? > > I keep seeing articles predicting Internet doomsday on January 1, 2016. > But it looks to me like that's just the date CA's stop issuing new SHA-1 > certs and browsers will not accept SHA-1 certs ISSUED after January 1, > which shouldn't happen anyway. And that January 1, 2017 (or possibly > earlier) is when OS and browser vendors may stop accepting older SHA-1 > certs. > > So wouldn't that be the date when we start getting customer calls, not > January 1? > > Of course, I'm making the assumption that if a site that used to work now > gets an error message, customers will call us assuming "the tower is down" > or "my ISP is blocking sites". Who else are they going to call? Google? > Microsoft? The site owner who didn't get an updated cert? > > > https://googleonlinesecurity.blogspot.ro/2015/12/an-update-on-sha-1-certificates-in.html > >
