security and privacy

OCSP SHA-1 support ending 30 May 2022

OCSP SHA-1 support ending 30 May 2022

Microsoft has announced the sunset for SHA-1 Online Certificate Standard Protocol signing. Microsoft is updating the Online Certificate Standard Protocol (OCSP) service to comply with a recent change to the Certificate Authority / Browser Forum (CA/B Forum) Baseline Requirements. This change requires that all publicly-trusted Public Key Infrastructures (PKIs) end usage of the SHA-1 hash algorithms for OCSP responses by May 31, 2022.

Most end customers will not have any issues. It is possible that some legacy client configurations which do not support SHA-256 experience a certificate validation error. After May 31, 2022, clients which don’t support SHA-256 hashes will be unable to validate the revocation status of a certificate, which could result in a failure in the client, depending on the configuration. If you’re unable to update your legacy client to one that supports SHA-256, you can disable revocation checking to bypass OCSP until you update your client. If your Transport Layer Security (TLS) stack is older than 2015, you should review your configuration for potential incompatibilities.


About The Author