SHA-1 Certificates will no longer be supported with browsers after December 31, 2016. Will ACF2 still work OK?
search cancel

SHA-1 Certificates will no longer be supported with browsers after December 31, 2016. Will ACF2 still work OK?


Article ID: 12549


Updated On:


ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit


When the TLS/SSL certificates used to identify web sites are signed by certificate authorities (CAs), the signatures use a cryptographic "signature algorithm" that includes a cryptographic hash function. The end of 2016 marks the end of support for the SHA-1 hash function in most major browsers as a signature algorithm for leaf and intermediate certificates. This is because cryptographic weaknesses in the SHA-1 algorithm, combined with increases in computational power, make it viable for well-funded attackers to generate multiple certificates with the same SHA-1 hash but with different contents. When a CA applies a SHA-1 RSA signature over what they have validated and what appears benign, they are thus also applying a signature to the alternate certificate that the attacker has prepared, which may impersonate a well-known website. 

To address this risk, CAs were prohibited from issuing any SHA-1 certificates after January 1, 2016 as well as any expiring after December 31, 2016. Many browsers (Chrome, Mozilla Firefox, Microsoft IE/Edge, and others) will also start rejecting certificates signed with SHA-1 early in 2017.

Will CA ACF2 still work OK with SHA-1 certificates?




CA ACF2 isn't dropping support for SHA-1 certificates after December 31, 2016. However, bear in mind that the ESM (ACF2, Top Secret, or RACF) is basically just a certificate repository on the z/OS platform. The ESM provides a callable service API called R_Datalib (IRRSDL00/IRRSDL64) that callers can use to retrieve certificates. The caller might be CICS, TCP/IP, WebSphere, etc and the ESM has no knowledge whatsoever of how the caller intends to use certificates retrieved using that API. So while SHA-1 certificates can be retrieved via the R_datalib service after December 31, 2016, there is really no way to know if those certificates will function without going through a complete inventory of the certificates to determine how they are being used. If you've used a well-known Certificate Authority to sign your certificates you should contact your Certificate Authority to check on issues relating to the SHA-1 certificates you have on ACF2. Some Certificate Authorities have SHA checker tools that can be used to examine the certificate chain being used for SSL/TLS connections to web sites your company maintains.