Introduction

Use certificates that use the SHA-2 algorithm.

Note:

Move to SHA2 Certificates

Microsoft has announced a policy change to the Microsoft Root Certificate Program that will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for SSL and code signing after January 1, 2016. Support for the SHA-2 hashing algorithm is included in Windows 8, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, and later operating systems. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks or perform man-in-the-middle attacks.

To enhance security and provide users with undisturbed experience, we recommend that all certificates used in Sinch Contact Pro are replaced with new ones using SHA-2 algorithm.

  1. Acquire new SHA-2 certificates.

  2. Install the new certificates to all required servers.

  3. Apply the new certificates to all services that need to be secured.

How to acquire new certificates depends on if you use a public or private certification authority (CA):

  • Certificates from a public CA: Most public CAs provide with a free renewal service, contact your CA.

  • Private CA (self-signed certificates): Either change your private CA to support SHA2 with a command prompt certutil -setreg ca\csp\CNGHashAlgorithm sha256, or set up a new private certificate server and set its signing algorithm to SHA256.

For real customer installations, use only certificates issued by public Certification Authorities (CA), such as Thawte or Verisign. For internal, demonstration, or training purposes you can set up a private certificate server using the tools included in the Microsoft Server software, and use a self-signed certificate.

Note:

If you use a self-signed certificate, you must install the CA’s certificate on the client computer as well to trust the CA. Contact the CA or your certificate server administrator for details.

Procedure

You can acquire certificates using tools on a public CA web page, or in the Microsoft IIS Manager, or follow the example below. The example is generic, always follow the instructions of the CA and certificate you have chosen to use.

The procedure applies also for acquiring certificates for client authentication with some fine tunings, see Client Certificates.

  1. Create the private key (make the certification request) on the server (or one of the servers) where the certificate is going to be installed, see Generating Certificate Request.

  2. Acquire the public key from a certification authority (CA), see Acquiring Certificate.

  3. Install certificate on your server, see Receiving and Installing Certificate.

  4. Test certificate, see Verifying Certificate.

  5. Configure the certificate in the service it is meant for, see Binding Certificate to Secured Service.