tag:blogger.com,1999:blog-4435397794368283647.post2141491538497227878..comments2024-03-28T22:54:12.438+01:00Comments on Microsoft Teams and UC from my point: TIme is running out, it's time to upgrade to Skype for BusniessKai Stenberghttp://www.blogger.com/profile/17068652485033134075noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-4435397794368283647.post-68108992171857412372016-08-15T11:04:31.970+02:002016-08-15T11:04:31.970+02:00The engineer focused "plenty of research"...The engineer focused "plenty of research" on confirming that you cannot get Lync Server 2010/2013 to issue self-signed SHA-2 certs. They missed the point that there is no need to. That is, according to the official Microsoft guidance on SHA-1 deprecation as referenced above by MLaMontagne. The FAQ states: "Will the policies apply to certificates that do not chain to a certificate issued by a CA in the Microsoft Root Certificate Program?"<br /><br />A: No, the policies will only apply to certificates issued by CAs in the [Trusted Root] Program.<br /><br />The guidance above from the MSFT engineer is reckless and will cause a lot of undue panic.<br /><br />Tsoorad makes a good point on his blog though that we need to consider the SHA-1 deprecation enforcement policy of third party browsers as that will affect certain Lync/Skype web operability scenarios (but will not require a knee-jerk migration to SfB).GW999https://www.blogger.com/profile/16431857176937457078noreply@blogger.comtag:blogger.com,1999:blog-4435397794368283647.post-46444641078750014802016-08-13T12:51:58.387+02:002016-08-13T12:51:58.387+02:00I found also this great article about it
http://ts...I found also this great article about it<br />http://tsoorad.blogspot.no/2015/07/windows-pki-sha-1-to-sha-2.html<br /><br />And he also say this: However, there are going to be numerous AD internal CA’s out there that are issuing SHA-1 certificates, and depending on how the environment is configured, the customer will need to renew their application certificates for internal use. Logically, it makes sense that the desirable outcome of renewing the application certificates is that the issuing PKI be SHA-2. Kai Stenberghttps://www.blogger.com/profile/17068652485033134075noreply@blogger.comtag:blogger.com,1999:blog-4435397794368283647.post-14125620749195263962016-08-13T12:44:47.549+02:002016-08-13T12:44:47.549+02:00What they said and their recomendation to my custo...What they said and their recomendation to my customer was this end line "After doing plenty of research we cannot change Hash algorithm of the self-signed certificate issued by Lync Server 2010 and Lync Server 2013 so we’d like to suggest you perform the upgrade to Skype for Business Server 2015 before January 1, 2017. I am truly sorry for the inconvenience this has brought."Kai Stenberghttps://www.blogger.com/profile/17068652485033134075noreply@blogger.comtag:blogger.com,1999:blog-4435397794368283647.post-20168489368478358132016-08-12T19:06:53.200+02:002016-08-12T19:06:53.200+02:00Good point! MSFT never fails to mislead or misdire...Good point! MSFT never fails to mislead or misdirect even their Enterprise customers. This SHA-1 retirement wil cause a MASSIVE amount of issues in the coming months, I bet on that! Especially if their own in-house products will fail with all kind of exotic errors!<br />soderAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4435397794368283647.post-21295070419378260982016-08-12T16:10:24.495+02:002016-08-12T16:10:24.495+02:00Did Microsoft Support indicate that self-signed ce...Did Microsoft Support indicate that self-signed certificates fall under the 2017 SHA-1 blocking? I was under the impression only SHA-1 certificates chained from CAs in the Microsoft Trusted Root Certificate program were impacted. https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecation-roadmap/ and http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants-v-2016-april.aspxMLaMontagnehttps://www.blogger.com/profile/10080882729659652774noreply@blogger.com