Mozilla’s SHA-1 warnings show how certificate trust deprecates

At a glance

What this is: This is a DigiCert analysis of Mozilla’s plan to deprecate SHA-1 trust in Firefox and warn users about legacy certificates.

Why it matters: It matters because identity and access teams need certificate inventory, replacement, and lifecycle controls to avoid browser-driven trust failures across machine identities and web services.

By the numbers:

• SHA-1 certificates should not be issued after January 1, 2016 or trusted after January 1, 2017.

👉 Read DigiCert’s analysis of Mozilla’s SHA-1 trust warnings

Context

Certificate trust deprecation is a lifecycle problem before it is a browser problem. When a public trust store starts warning on a legacy algorithm, organisations are no longer managing certificates on their own schedule, they are managing against external enforcement that can break services, developer tooling, and machine-to-machine trust paths.

For identity teams, SHA-1 is a reminder that certificate posture is part of NHI governance, not just PKI housekeeping. Weak cryptography, incomplete inventory, and delayed replacement all turn into operational risk once browsers and platform vendors stop tolerating old trust assumptions.

DigiCert’s article is typical of the broader pattern: browser vendors do not wait for enterprises to finish their clean-up work.

Key questions

Q: How should security teams handle legacy certificate algorithms before browsers deprecate them?

A: Security teams should inventory certificates by algorithm, consumer, and trust exposure, then prioritise removal of weak algorithms before browser warnings become user-facing failures. The key is to treat deprecation as a lifecycle issue, not a renewal issue. If a certificate depends on an algorithm that major platforms no longer trust, it belongs in immediate remediation.

Q: Why do legacy certificates create operational risk even when they have not expired?

A: Legacy certificates can remain technically valid while becoming operationally untrusted because browsers, consoles, or platform policies no longer accept the underlying algorithm. That creates a gap between certificate expiry and certificate trust. Teams should therefore track algorithm strength, not just expiration dates, when assessing risk.

Q: What do organisations get wrong about certificate lifecycle management?

A: Many teams focus on expiry dates and miss the trust policy changes that can invalidate a certificate earlier. They also fail to map where certificates are consumed, which means browser warnings arrive before the remediation plan is ready. A lifecycle programme needs inventory, ownership, and algorithm awareness.

Q: Who is accountable when a browser no longer trusts a certificate?

A: Accountability sits with the team that owns certificate lifecycle governance, including inventory, renewal, and remediation. In practice, that often spans security, platform, and application owners. The framework lesson is simple: if a certificate can trigger a trust failure in production, it needs an assigned owner before deprecation begins.

Technical breakdown

Why SHA-1 deprecation becomes a trust event, not just a crypto update

SHA-1 is a hash algorithm used in certificate signing and integrity checks. As collision attacks became more practical, the trust value of SHA-1 certificates declined because an attacker can increasingly prove two different inputs produce the same hash, weakening the security assumptions behind certificate validation. Browser vendors respond by changing trust policy before the algorithm is fully broken, which creates a deprecation window rather than a single cutover. That window is where operational risk accumulates, because existing certificates may still function until warnings or hard failures begin.

Practical implication: track algorithm usage as a lifecycle risk signal, not a compliance footnote.

How browser warnings change certificate lifecycle management

Browser warnings shift certificate management from passive renewal to active remediation. A certificate can be technically valid and still be operationally unacceptable if the browser or console flags it as untrusted. That means organisations need discovery across public-facing services, developer environments, and internal dependencies that surface in browser-based workflows. The issue is not only web endpoints, because shared libraries, automation jobs, and test systems often inherit the same trust chain. Once warnings appear, the remediation burden moves from maintenance teams to incident-style response.

Practical implication: build inventory and replacement workflows that can act before browser trust changes reach production.

Why certificate expiration alone is not enough as a control

The article shows that expiry dates do not fully describe certificate risk. A certificate can remain unexpired while becoming operationally unsafe because the underlying algorithm is being phased out by trust stores. That creates a control gap between validity and trustworthiness. Mature certificate lifecycle management therefore tracks not only date fields but also algorithm strength, issuance date, and dependent application paths. In practice, the question is whether a certificate will remain trusted in the environments that consume it, not whether it still exists on paper.

Practical implication: add algorithm deprecation checks to certificate governance and renewal review.

Threat narrative

Attacker objective: The practical attacker objective in this pattern is to exploit weakening trust assumptions before organisations replace legacy certificates, creating opportunities for fraudulent or unreliable certificate acceptance.

1. Entry occurs when users or developers encounter a SHA-1 certificate in a browser or console and see trust warnings instead of silent acceptance.
2. Escalation happens when the organisation continues to rely on certificates that browsers will increasingly treat as untrusted, expanding the blast radius from a single endpoint to shared services and tooling.
3. Impact is operational trust failure, including broken access paths, user distrust, and accelerated replacement work across affected certificate estates.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Certificate trust is no longer governed only by issuance and expiry. Browser vendors now act as external control planes for trust policy, which means lifecycle governance must account for algorithm deprecation as well as renewal dates. The practical implication is that certificate programmes need a trust-state view, not just a renewal calendar.

SHA-1 sunset planning exposes the gap between cryptographic validity and operational trust. A certificate can still be present, still be deployed, and still fail policy because the consuming platform no longer accepts it. That gap is the real governance problem, and it affects both public web identity and internal machine identity estates. Practitioners should treat trust enforcement as part of identity lifecycle management.

Legacy certificate inventory is the control that determines whether deprecation becomes an outage. The organisations that can locate SHA-1 at scale will absorb browser warnings as planned remediation. The organisations that cannot will experience trust failure as an externally timed event, not an internal choice. The implication is that visibility is the first control, not the last.

Certificate lifecycle discipline is a machine identity control plane, not a PKI detail. Certificates authenticate workloads, services, and automated systems, so weak algorithm exposure affects NHI governance as much as website security. When trust deprecations arrive, the organisations with mature lifecycle processes can replace certificates before browsers force the issue. Practitioners should align certificate governance with broader NHI management.

From our research:

• 69% of organisations now have more machine identities than human ones, according to The Critical Gaps in Machine Identity Management report.
• Only 38% have automated certificate lifecycle management in place, which helps explain why deprecation timelines often become operational surprises.
• For a broader control map, see NHI Lifecycle Management Guide for the governance steps that keep machine identities aligned with trust policy.

What this signals

Certificate deprecation should be managed as a workload identity issue. As more services depend on machine-issued credentials, browser trust changes become one more reason to align PKI operations with broader NHI lifecycle governance. The organisations that separate certificate management from identity governance will keep discovering trust failures late.

With 57% of organisations lacking a complete inventory of their machine identities, the same visibility gap that affects service accounts also affects certificate estates, and it will slow SHA-1 replacement where it matters most. That makes discovery, ownership, and remediation sequencing the real programme differentiators.

Teams should expect trust policy to tighten faster than their internal renewal cadence. The practical response is to track algorithm exposure alongside credential age and to connect certificate governance to the same review processes used for other non-human identities.

For practitioners

• Inventory every SHA-1 certificate across public and internal estates Locate certificates in production, test, and developer paths, then map where browser-based trust decisions could surface. Include web apps, internal portals, automation endpoints, and embedded dependencies that inherit the same chain.
• Prioritise replacement by trust exposure, not by renewal date alone Replace certificates that are most likely to trigger browser warnings first, especially those used in customer-facing services or shared administrative workflows. A valid certificate that is no longer trusted is already a service risk.
• Add algorithm deprecation checks to lifecycle reviews Make hash strength and issuance policy part of certificate recertification and change control. Review whether any certificate depends on SHA-1, then route it through the same remediation path as an expiring or revoked credential.
• Align PKI remediation with NHI governance processes Treat certificates as machine identities with owners, dependencies, and offboarding requirements. Use the NHI Lifecycle Management Guide for lifecycle structure and the OWASP Non-Human Identity Top 10 for risk framing.

Key takeaways

• Mozilla’s SHA-1 warning timeline shows that trust deprecation can create user-facing failures before certificates expire.
• The scale of the problem is governance-related, not just technical, because many organisations still lack the inventory and automation needed to replace weak certificates quickly.
• The control that matters most is visibility into algorithm use, dependency mapping, and lifecycle ownership before browsers enforce the change for you.

Key terms

• Certificate lifecycle management: The process of tracking, issuing, renewing, rotating, and retiring certificates across their full usable life. In identity programmes, it ensures certificates remain owned, trusted, and replaceable before they fail policy or stop working in consuming systems.
• Trust deprecation: The planned removal of acceptance for a cryptographic algorithm or certificate format by browsers, platforms, or trust stores. It matters because an identity can be valid on paper while becoming unusable in the environments that enforce trust decisions.
• Machine identity: A non-human identity used by software, services, and infrastructure to authenticate and communicate. Certificates, tokens, and keys are common machine identity forms, and they require ownership, inventory, and lifecycle control just like human credentials.

Deepen your knowledge

NHI governance, machine identity security, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: Mozilla to Add SHA-1 Security Warnings. Read the original.