Offtopic: SHA1 in S/MIME Certificates


Hey everyone,

My question is not related to Letsencrypt but to Issuance policies in general…

SHA1 was forbidden for certificates starting with Jan 01, 2016, but I am not sure if this only relevant for SSL/TLS Certificates or for all certificates (e.g. S/MIME Certificates or Codesigning Certificates) in general.

Thank you for your answers :slight_smile:


The SHA-1 ban in the Baseline Requirements only applies to certificates issued for the purpose of TLS encryption. Individual root programs (like Mozilla, Apple, Microsoft, etc.) might have additional requirements for certificates that chain back to a root certificate in their trust store. As an example, Mozilla’s policy requires that SHA-1 certificates chain back to an intermediate certificate that cannot be used for TLS (i.e. lacks the relevant EKUs).

I’m not aware of a similar ban for S/MIME or code signing certificates, and to my knowledge CAs continue to issue at least SHA-1 code signing certificates, perhaps even S/MIME. Unfortunately there’s no comparable document to the Baseline Requirements for these certificate types, so it is mostly a matter of root program policy.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.