Notifications
Clear all
Topic starter
25/06/2026 10:40 pm
TL;DR: Mozilla plans to warn on SHA-1 certificates in Firefox and eventually reject them outright, aligning with Microsoft and Google’s earlier deprecation timeline and accelerating the move away from legacy certificate trust, according to DigiCert. The practical lesson is that certificate lifecycle management must surface weak algorithms before browsers do, or user-visible trust failures will arrive first.
NHIMG editorial — based on content published by DigiCert: Mozilla to Add SHA-1 Security Warnings
By the numbers:
- SHA-1 certificates should not be issued after January 1, 2016 or trusted after January 1, 2017.
Questions worth separating out
Q: How should security teams handle legacy certificate algorithms before browsers deprecate them?
A: Security teams should inventory certificates by algorithm, consumer, and trust exposure, then prioritise removal of weak algorithms before browser warnings become user-facing failures.
Q: Why do legacy certificates create operational risk even when they have not expired?
A: Legacy certificates can remain technically valid while becoming operationally untrusted because browsers, consoles, or platform policies no longer accept the underlying algorithm.
Q: What do organisations get wrong about certificate lifecycle management?
A: Many teams focus on expiry dates and miss the trust policy changes that can invalidate a certificate earlier.
Practitioner guidance
- Inventory every SHA-1 certificate across public and internal estates Locate certificates in production, test, and developer paths, then map where browser-based trust decisions could surface.
- Prioritise replacement by trust exposure, not by renewal date alone Replace certificates that are most likely to trigger browser warnings first, especially those used in customer-facing services or shared administrative workflows.
- Add algorithm deprecation checks to lifecycle reviews Make hash strength and issuance policy part of certificate recertification and change control.
What's in the full analysis
DigiCert’s full blog post covers the operational detail this post intentionally leaves for the source:
- The exact browser warning timeline for Firefox console and browser behaviour across 2015, 2016, and 2017.
- DigiCert’s guidance on using the SHA-1 Sunset Tool to identify certificates that still need replacement.
- The vendor’s explanation of why its customers were expected to be largely unaffected by the Firefox changes.
- The original reasoning cited from Mozilla, Microsoft, and Google on why SHA-1 deprecation was being accelerated.
👉 Read DigiCert’s analysis of Mozilla’s SHA-1 trust warnings →
SHA-1 certificate warnings: are your trust decisions ready?
Explore further
25/06/2026 11:18 pm
Certificate trust is no longer governed only by issuance and expiry. Browser vendors now act as external control planes for trust policy, which means lifecycle governance must account for algorithm deprecation as well as renewal dates. The practical implication is that certificate programmes need a trust-state view, not just a renewal calendar.
A few things that frame the scale:
- 69% of organisations now have more machine identities than human ones, according to The Critical Gaps in Machine Identity Management report.
- Only 38% have automated certificate lifecycle management in place, which helps explain why deprecation timelines often become operational surprises.
A question worth separating out:
Q: Who is accountable when a browser no longer trusts a certificate?
A: Accountability sits with the team that owns certificate lifecycle governance, including inventory, renewal, and remediation. In practice, that often spans security, platform, and application owners. The framework lesson is simple: if a certificate can trigger a trust failure in production, it needs an assigned owner before deprecation begins.
👉 Read our full editorial: Mozilla’s SHA-1 warnings show how certificate trust deprecates
