Unfortunately, many CAs decided to ignore it, presumably on the assumption that Microsoft would be forced to back down. We've done this dance with MD5 and 1024-bit certificates and we know how it goes. Here's a quick list of CAs that issued more than 2000 certificates extending into 2017 with SHA-1:
We would all have liked CAs to have acted either when the Baseline was updated (2011) or when Microsoft laid down dates (Nov 2013) or when Chrome talked about doing this at the CA/B Forum meeting earlier this year. It is unfortunate that that 2016/2017 dates are being ignored.
If you run a site and want to be insulated from this sort you might want to consider getting one year certificates. CAs like to sell multiple years of course but doing renewal once every three (or more) years means that you have a significant risk of loosing the institutional knowledge of how to do it. (E.g. the renewal remainder email goes to someone who left last year and you then have a panic when it expires). Additionally, very long lived certificates are not insulated from from these sorts of changes and you may need to replace them during their lifetime anyway.
The claim that CAs have been sitting on SHA-1 and not migrating to SHA-2 is not entirely accurate, at least in my experience with DigiCert.
Consequently, people I know there have told me that 25% of all SHA-2 certs expiring in 2017 have been issued by DigiCert, well beyond their market share. DigiCert has migrated all but a couple hundred customer certificates expiring in 2017 onto SHA-2, and those should be moved soon.
As for CAs in general, much of the blame lies not with CAs but with the lack of SHA-2 compatibility in certain devices and software.
For its part, today, DigiCert released a new, free tool that makes it easy for sys admins to identify all SHA-1 certs in their networks, determine validity periods and how future Chrome releases will treat these certs, and help admins map out a path toward SHA-1 sunsetting and SHA-2 migration.
DigiCert will also replace any SHA-1 certs – for current customers and non-customers alike – for free. They will match the existing SHA-1 term for a free upgrade to SHA-2 through the end of the licensing period. Here’s a link from a Dark Reading article:
I suppose the CA's didn't jump on issuing SHA2 certs the same day as the as the Baseline update or the MS announcement, but they don't seem to be standing still.
Wondering how many of those certs from GlobalSign, GoDaddy, GeoTrust, etc. are 4 & 5 year certs purchased prior to any announcement? As you noted CA's like to push multi-year certs.
While you can usually reissue/re-key your cert free of charge with CA's, a lot of companies are probably hesitant to make sudden moves to SHA2 when there are compatibility concerns. Many on legacy systems like Server 2003 cannot update to SHA2. As I mentioned in another comment the hotfixes only bring Server 2003 SHA2 support up to the same level as XP SP3. (Only compatible as a client, not as a server).
Also Microsoft's fastest approaching SHA2 deadline is January 2016 for CodeSigning yet Windows Vista & 7 don't support SHA2 signatures on kernel drivers. Not sure if that's been patched yet, but it would seem Microsoft isn't fully prepared to support their own policies either at the time of their own announcement.
Unfortunately, many CAs decided to ignore it, presumably on the assumption that Microsoft would be forced to back down. We've done this dance with MD5 and 1024-bit certificates and we know how it goes. Here's a quick list of CAs that issued more than 2000 certificates extending into 2017 with SHA-1:
GlobalSign nv-sa: 75,312 GoDaddy: 41,606 GeoTrust: 40,429 Comodo: 37,789 Verisign: 34,927 Terena: 9,444 Thawte: 8,735 Internet2: 8,637 Network Solutions: 8,077 Entrust: 5,542 AlphaSSL: 3,458
We would all have liked CAs to have acted either when the Baseline was updated (2011) or when Microsoft laid down dates (Nov 2013) or when Chrome talked about doing this at the CA/B Forum meeting earlier this year. It is unfortunate that that 2016/2017 dates are being ignored.
If you run a site and want to be insulated from this sort you might want to consider getting one year certificates. CAs like to sell multiple years of course but doing renewal once every three (or more) years means that you have a significant risk of loosing the institutional knowledge of how to do it. (E.g. the renewal remainder email goes to someone who left last year and you then have a panic when it expires). Additionally, very long lived certificates are not insulated from from these sorts of changes and you may need to replace them during their lifetime anyway.