My suggested implementation for SHA-1 certificates is:
[WARNING] message for certificates expiring after 1 Jan 2016 but before 1 Jan 2017.
[ERROR] message for certificates expiring after 1 Jan 2017
(to make maintenance of messages easier you could check the current date, and if it's after 1 Jan 2017 and a SHA-1 unexpired certificate is found raise [CRITICAL] message)
There shouldn't be too many certificates still using MD5, but it would be good to throw a message if one is found. Suggested implementation:
I'd like to request addition of an an attack or feature that checks for certificates that use the SHA-1 hash algorithm.
I notice Google will soon be warning users in Chrome (v41) of certificates using SHA-1 that expire after 1 January 2016. http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html
My suggested implementation for SHA-1 certificates is:
There shouldn't be too many certificates still using MD5, but it would be good to throw a message if one is found. Suggested implementation:
PS. Mozilla I believe is doing something similiar in Firefox. https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/