According to Microsoft Security Advisory 2880823, Microsoft has announced that they will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016.
In response to the code signing piece of the new policy, Trend Micro solutions have been modified as needed to include both SHA-1 and SHA-2 certificate in all products to support this policy.
Trend Micro has tested products on the platforms listed below to make sure the new policy is supported.
- Windows Vista SP2, Windows Server 2008 SP2, Windows 2000 SP4, Windows XP SP3 and Windows Server 2003 SP2 are not in the scope of SHA-1 deprecation policy and can only recognize SHA-1 certificates.
- Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows 10, Windows Server 2012 and Windows Server 2012 R2 are in the scope of SHA-1 deprecation policy.
All new software packages created after January 1, 2016 will use SHA-2 certificates for code signing. Customers on Windows versions listed under the required actions must ensure they have applied the required hot fixes to enable SHA-2 compatibility.
Customers deploying (or reinstalling) current versions of Trend Micro software that are originally created and released before January 1, 2016, may still use the SHA-1 versions.
Users running Windows 7 (including SP1) and Windows Server 2008 R2 / R2 SP1 are required to install hot fixes outlined in Microsoft Security Advisory 3033929 to enable SHA-2 compatibility. Users on Windows 8 and above, as well as Windows Server 2012 and above, already have this compatibility built-in.
In addition, several Trend Micro products rely on public root certificates. Most Windows systems can automatically receive updates online, however, there are instances where isolated or offline machines may not be able to receive these. Customers who receive error messages regarding a missing or outdated VeriSign Class 3 Public Primary Certification Authority G5 in the host machine’s Trusted Root Certificate Authorities store are advised to obtain the necessary certificate and manually apply or update it using the information in the following Microsoft article.