This article has been archived and is no longer updated by Apple.

Move to SHA-256 signed certificates to avoid connection failures

Developers, website operators, and server administrators using SHA-1 signed certificates for TLS security should move to SHA-256 signed certificates as soon as possible.

Support for SHA-1 signed certificates used for Transport Layer Security (TLS) in Safari and WebKit ended with the releases of macOS Sierra 10.12.4, iOS 10.3, tvOS 10.2, and watchOS 3.2. These updates removed support for all certificates that are issued from a root Certification Authority (CA) included in the operating system default trust store.

macOS High Sierra 10.13, iOS 11, tvOS 11, and watchOS 4 don't support SHA-1 signed certificates for any TLS connections.

SHA-1 signed root CA certificates, enterprise-distributed SHA-1 certificates, and user-installed SHA-1 certificates are not affected.

What's changed?

In macOS Sierra 10.12.4 and later and iOS 10.3 and later, Safari displays a notification when a user navigates to a webpage that attempts to create a TLS connection using a SHA-1 signed certificate. The user must click the notification to load the site. After loading, the site appears as an insecure connection in Safari.

Apps that use WebKit to connect to a site using TLS will receive an error if the site’s certificate is SHA-1 signed. Developers need to ensure that their apps handle these errors.

In macOS High Sierra 10.13, iOS 11, tvOS 11 and watchOS 4, any app that attempts to create a TLS connection using an SHA-1 signed certificate will fail to connect. This includes servers used for mail, calendars, VPN, and other services.

What do I need to do?

Developers, website operators, and server administrators should move to SHA-256 signed certificates as soon as possible to prevent warnings and connection failures. Many CA operators provide SHA-256 signed certificates.

For a list of root CA certificates included in the default trust stores on our platforms, see:

Published Date: