SHA-1 is the most commonly used hash function for certificates on the internet, and many internal root certificate servers. If your in-house certificate authority has been around since Windows 2003, it's likely it too uses the now insecure SHA-1. Since 2013, Microsoft have been deprecating use of SHA1 certificates within Windows, and from 1st January 2017, all supported versions of Windows will not accept any SHA-1 certificates. Payment processors have already announced they won't deal with SHA-1 from the summer too.
A Certificate with SHA-2
The certificate shown above is using the SHA384 signature algorithm, and so is it's root certificate - ensuring it will be accepted by all browsers without warnings through 2017.
At Fuse, we can help you transtition your certificate servers to the latest standards, ensuring your certificates use stronger encryption without breaking your existing systems and preventing access. We can also assist with installing the new certificates onto devices such as VPN gateways, web servers, laptops and phones, and with code/email signing and encryption certificates for files and backups. At the same time, we can harden your Windows Server TLS/SSL protocols so they only support newer protocols and ciphers. You can engage us within the context of a PKI project, or simply on a time and materials/consultancy basis. Either we'll ensure your infrastucture remains secure and compliant in a critical year for PKI.