Some CAs remain cautious about deleting SHA-1. This is especially related to Windows XP: The support for XP expired in April 2014, nevertheless XP remains the number one operating system for many users and unfortunately also for various authorities and companies. In order for Windows XP to recognize SHA-2, it is necessary to install the Service Pack 3 (SP3). The SHA-2 hashes SHA-256, -384 and -512 are then supported. It becomes more complicated when using Windows Server 2003: SP2 does not support the hash algorithm at all, but you can partially upgrade the functionality. How this works is explained by Microsoft in the Knowledge Base entries KB938397 and KB968730.
According to announcements by various developers, many will switch to SHA-2 in the coming months. There may be compatibility issues here. The authors of the Windows PKI blog recommend the following actions:
- If you use Windows XP, install SP3 to support SHA-2.
- If your XP systems require certificates from SHA-2 Certification Authorities, please refer to Knowledge Base article KB968730
- Order SHA-2 certificates for Windows Server 2003, install SP2, and follow the instructions in KB938397.
Another exception is the use of S/MIME certificates in Outlook 2003, 2007, and 2010 on Windows XP, even if you have installed SP3: Programs on XP SP3 cannot validate e-mail messages if these messages were signed using SHA-2. XP users can sign their Outlook messages only with the obsolete SHA-1 method or even with the insecure MD5. SHA-2 signatures require at least Windows Vista with Outlook (at least 2003). If you want to sign and validate SHA-2 messages, you need at least Vista and Outlook 2007.
We explicitly advise against further use of Windows XP. Apart from the fact that support has expired, the security of the operating system no longer meets the requirements. In a summary table, here in our SSL-Wiki, you can see the support of SHA-2.