picture of tbs certificates
picture of tbs certificates
Our products range

20161104 - Symantec : SHA1 timestamping decommissioning

At the end of January, 2017, Symantec will be decommissioning its SHA1 RFC 3161 timestamp service.

As a result we recommend that all our customers sign their Java applications using SHA256 codesigning certificates and timestamp with the new Symantec SHA256 RFC 3161 timestamp service.


First, SHA1 is disappearing. It is then a natural and an expected evolution of the service.

Then in the near future, Oracle will be taking steps to remove SHA1 support for both Java signing and timestamping.

This will not impact Java applications that were previously signed or timestamped with SHA1, these will continue to function properly, however Java applications signed or timestamped with SHA1 after Oracle’s announced date may not be trusted.

Compatibility issues might occur

Be careful though: Windows Vista, Windows Server 2008 and older platforms are not compatible with SHA256.

It is the reason why Microsoft recommands the dual signature (SHA1/SHA256) for a greater compatibility. So, before going on with any line of action, do not hesitate to double sign all your code.

Which products are concerned?

All code signing certificates issued by Symantec or Thawte.

My code signing certificate is signed in SHA1, what should I do?

2 options:

  • Your certificate expires within the next 3 months: then request your certificate renewal now. You'll be automatically redirected to a SHA256 product.

  • If it's not your case then request a free reissuance of your certificate via its status page. It will automatically delivered in SHA256.

useful links