Last updated: 
2 months 2 days ago
Group Manager
Welcome to the Jisc Certificate Service group. The service offers a number of different X509 SSL certificates, including Extended Validation certificates that give users the highest possible assurance, as well as S/MIME email certificates for digitally signing emails. Jisc has an agreement with the Certificate Authority, QuoVadis who is the provider of the certificates. The service has been running since 2006 and has issued many thousands of certificates to organisations in UK research and education. This is a Community group where users can obtain relevant information, receive service updates and provide feedback.

SHA-1 and Google Chrome

20 November 2014 at 4:56pm

SHA-1 and Google Chrome: 20 November 2014

On 18 November Google released Chrome 39 which will now result in users visiting web services secured with SHA-1 certificates that expire in 2017 being shown a grey padlock with a yellow warning triangle, instead of the usual recognisable green padlock.

Chrome 39 still indicates it is a secure and encrypted connection but states that "The site is using outdated security settings that may present future versions of Chrome from being able to safely access it".

We strongly recommend that customers replace these affected certificates promptly, and certainly before Chrome 41 (out in early 2015) when users will then be presented with a pop-up window warning of an unsecure and unencrypted connection. On 14 November your JCS account was applied with credits to enable you to replace affected certificates at no cost.

Comments

Do you have a mechanism for us to request SHA-1 certs expiring at end of 2015?

This currently seems to be the best solution for sites which need to support visitors using Windows XP SP2 (see https://bugzilla.mozilla.org/show_bug.cgi?id=1064387#c5). We (hopefully) wouldn't want to do this for all of our affected servers but might need it for the servers involved in recruitment of overseas students.

This obviously doesn't really fix things it just avoids the warnings for twelve months in the hope that XP SP2 usage will decline.

Hi Paul,

It is still possible to get SHA-1 certificates through the service, but these have to be requested manually by the Janet Service Desk.

You will need to email the desk (certificates@ja.net) to request it, making sure you have enough credits on your account. Please specify the type of certificate required together with the email address for the Domain Control Validation response step.

Sorry the correct email address to use is now certificates@jisc.ac.uk, we're still getting used to the email switchover. The other address will still work however for the next 12 months.