"After doing
more research and tests I have confirmed that both Lync Server 2010 and Lync
Server 2013 issue self-signed certificate with SHA-1 algorithm to Lync clients
in the meantime both Skype for Business Server 2015 and Skype for Business
online issue self-signed certificate with SHA-2 algorithm to their clients.
After doing plenty of
research we cannot change Hash algorithm of the self-signed certificate issued
by Lync Server 2010 and Lync Server 2013 so we’d like to suggest you perform
the upgrade to Skype for Business Server 2015 before January 1, 2017. "
After doing some google search I found this one from November 2014,SHA-1 client issue as it say that clients does not have to do anything but this is an technical issue.
And since also Lync 2010 is out of mainstream support well now it's the time to plan for your upgrade.
Did Microsoft Support indicate that self-signed certificates fall under the 2017 SHA-1 blocking? I was under the impression only SHA-1 certificates chained from CAs in the Microsoft Trusted Root Certificate program were impacted. https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecation-roadmap/ and http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants-v-2016-april.aspx
ReplyDeleteGood point! MSFT never fails to mislead or misdirect even their Enterprise customers. This SHA-1 retirement wil cause a MASSIVE amount of issues in the coming months, I bet on that! Especially if their own in-house products will fail with all kind of exotic errors!
Deletesoder
What they said and their recomendation to my customer was this end line "After doing plenty of research we cannot change Hash algorithm of the self-signed certificate issued by Lync Server 2010 and Lync Server 2013 so we’d like to suggest you perform the upgrade to Skype for Business Server 2015 before January 1, 2017. I am truly sorry for the inconvenience this has brought."
DeleteI found also this great article about it
Deletehttp://tsoorad.blogspot.no/2015/07/windows-pki-sha-1-to-sha-2.html
And he also say this: However, there are going to be numerous AD internal CA’s out there that are issuing SHA-1 certificates, and depending on how the environment is configured, the customer will need to renew their application certificates for internal use. Logically, it makes sense that the desirable outcome of renewing the application certificates is that the issuing PKI be SHA-2.
The engineer focused "plenty of research" on confirming that you cannot get Lync Server 2010/2013 to issue self-signed SHA-2 certs. They missed the point that there is no need to. That is, according to the official Microsoft guidance on SHA-1 deprecation as referenced above by MLaMontagne. The FAQ states: "Will the policies apply to certificates that do not chain to a certificate issued by a CA in the Microsoft Root Certificate Program?"
ReplyDeleteA: No, the policies will only apply to certificates issued by CAs in the [Trusted Root] Program.
The guidance above from the MSFT engineer is reckless and will cause a lot of undue panic.
Tsoorad makes a good point on his blog though that we need to consider the SHA-1 deprecation enforcement policy of third party browsers as that will affect certain Lync/Skype web operability scenarios (but will not require a knee-jerk migration to SfB).