Microsoft announced that they will be deprecating publically signed SHA1 (non-CNG) certificates on January 1st, 2017 yet are specifically requiring publicly signed non-CNG certificates for use with an AD FS 3.0 (2012 R2) configuration. Does anyone know why Microsoft is doing that? Will AD FS be updated before that date to allow for CNG certificates or will we be up a creek when we go to try to renew an AD FS SHA1 certificate if it expires after January 1st, 2017?
Microsoft Announcement: http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
AD FS 3.0 Certificate Requirements:http://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_1