Whether SHA-1 signed certificates issued by local trust anchors are allowed

When this setting is enabled, Google Chrome allows SHA-1 signed certificates as long as they successfully validate and chain to a locally-installed CA certificates.

Note that this policy depends on the operating system certificate verification stack allowing SHA-1 signatures. If an OS update changes the OS handling of SHA-1 certificates, this policy may no longer have effect. Further, this policy is intended as a temporary workaround to give enterprises more time to move away from SHA-1. This policy will be removed on or around January 1st 2019.

If this policy is not set, or it is set to false, then Google Chrome follows the publicly announced SHA-1 deprecation schedule.


Supported on: Microsoft Windows XP SP2 or later
Registry HiveHKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry PathSoftware\Policies\Google\Chrome
Value NameEnableSha1ForLocalAnchors
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

chrome.admx

Administrative Templates (Computers)

Administrative Templates (Users)