Safari and WebKit do not support SHA-1 certificates

Website operators should move to SHA-256 signed certificates as soon as possible.

Support for SHA-1 signed certificates, used for Transport Layer Security (TLS) in Safari and WebKit, has been removed in macOS Sierra 10.12.4, iOS 10.3, tvOS 10.2, and watchOS 3.2.

These updates removed support for all certificates that are issued from a root Certification Authority (CA) included in the operating system default trust store. All other TLS connections will continue to support SHA-1 signed certificates until late 2017. 

SHA-1 signed root CA certificates, enterprise-distributed SHA-1 certificates, and user-installed SHA-1 certificates are not affected by this change.

What has changed?

In macOS Sierra 10.12.4 and iOS 10.3, Safari displays a notification when a user navigates to a webpage that attempts to create a TLS connection using a SHA-1 signed certificate. The user will have to click to load the site. After loading, the site appears as an insecure connection in Safari.

Apps that use WebKit to connect to a site using TLS will receive an error if the site’s certificate is SHA-1 signed. Developers will need to ensure that their apps handle these errors.

What do I need to do?

Developers and website operators should move to SHA-256 signed certificates as soon as possible to prevent users from encountering warnings when connecting to their sites. There are many CA operators providing SHA-256 signed certificates.

For a list of root CA certificates included in the default trust store on our platforms, see:

Published Date: