Microsoft announced on November 12th, 2013 that they will be deprecating SHA1 on January 1st, 2017.
Announcement here: http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
We currently run an internal PKI that's configured as below:
Provider: Microsoft Strong Cryptographic Algorithm
Hash algorithm: SHA-1
The announcement post is not entirely clear as to the exact impact. From my understanding of the post, Windows will stop accepting SHA-1 SSL certificates after January 1st, 2017. Is that correct? Does that mean that any internally issued certificates will need to be re-issued by an Issuing CA that is configured to utilize CNG and SHA256? If so, is this true for all internally issued certificates? User, computer, web server, etc? Certain Microsoft technologies specifically do not support CNG certificates (AD FS as one example, even in 2012 R2). If we are being pushed to retire all SHA1 certificates and replace them with SHA256, why are not all Microsoft technologies supporting CNG certificates? Is this true for all VeriSign certificates that we use that were signed with SHA1? Will we need to have those re-issued by Verisign and replace all of those that are currently in use?