1) Our current certs list a SHA1 Fingerprint and a SHA256 PIN. Does this mean they won't work when browsers turn off SHA1?|
My understanding is that certificates with ONLY SHA-1-based signatures (except trusted root certificates) won't work. When we replaced our SSL certs with SHA-2 versions there was a SHA1 and SHA2 fingerprint present so I am guessing this is normal. I am open to correction, but they did pass testing with SSLLabs so we are pretty confident they will work without issue next year.
2) Is there a testing tool that is pre-set for the upcoming changes that I could use to test against our sites to see if browsers will be able to connect to them after SHA1 is sunsetted?
There is the development version of SSL Labs that you could look at: https://dev.ssllabs.com/ssltest. It contains the new grading for 2017 including SHA1 deprecation. A full list of changes is available here: https://blog.qualys.com/ssllabs/2016/11/16/announcing-ssl-labs-grading-changes-for-2017.
Dec 7th 2016
11 months ago
|In some browsers (for example Safari), you can turn off support for SHA-1 signatures in your browsers. That, and ssllabs.com, is probably the easiest way to test your sites.||
Dec 20th 2016
10 months ago