Be very careful. I went to look this up and got mired in a back-and-forth about what "supported" means when it comes to SHA-2.
Long story short, there is a difference between "validating" a certificate and "signing" with a certificate. Windows XP SP3 and Windows Server 2003 SP2 can validate a SHA-2 certificate - WITH AN ADDITIONAL PATCH. This patch is not available via WSUS or Microsoft Update. They cannot ever sign using a SHA-2 certificate. Vista and Server 2008 released with a bug that prevented signing with SHA-2, but it was fixed shortly after release with an update that was available via WSUS and Microsoft Update. So any current release should be ok. All subsequent releases should be able to validate and sign with a SHA-2 certificate. Outlook 2003 does not support SHA-2 at all. Outlook 2007+ appear to support SHA-2 on Vista and above. I am unclear if they support SHA-2 on XP SP3 with the aforementioned patch. Something that is still not clear to me is when Certificate Services can issue SHA-2 certificates. I'm moderately sure it was Vista/Server2008. But I'm not certain on that. All that being said - there is a known issue with ActiveSync on Exchange 2013 CU4 with SHA-2 certificates. I've asked for an update, but honestly I doubt I'll get one since it's not a widespread issue. From: [email protected] [mailto:[email protected]] On Behalf Of David Mazzaccaro Sent: Wednesday, September 17, 2014 8:46 AM To: [email protected] Subject: RE: [Exchange] SHA1 Certs on OWA/AS Funny you mention that, I just got this notice from GoDaddy: SSL certificate technology is always improving to stay ahead of hackers. We regularly update to the most current and effective standards. We recently switched from using SHA-1 certificates to the more secure SHA-2 algorithm for new certificates. Google Chrome is a very popular internet browser. Starting in November, they'll begin displaying errors on the padlock icon for any website using SHA-1 SSL certificates. Learn more here. The following SSL certificate(s) are still using the SHA-1 algorithm. Re-key them to update to SHA-2 and avoid problems in November. -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of J- P Sent: Tuesday, September 16, 2014 8:53 PM To: [email protected]<mailto:[email protected]> Subject: [Exchange] SHA1 Certs on OWA/AS Hi all I know sha1 will be valid till 2016, however, being that web browsers will start giving warnings along the lines of "the website is using a weak encryption ......... Cert" will any of this affect OWA or ActiveSync? thanks
