diff --git a/builtin/logical/transit/path_sign_verify.go b/builtin/logical/transit/path_sign_verify.go
index 615696ab3f..46b8e8e32b 100644
--- a/builtin/logical/transit/path_sign_verify.go
+++ b/builtin/logical/transit/path_sign_verify.go
@@ -36,6 +36,7 @@ derivation is enabled; currently only available with ed25519 keys.`,
 				Default: "sha2-256",
 				Description: `Hash algorithm to use (POST body parameter). Valid values are:
 
+* sha1
 * sha2-224
 * sha2-256
 * sha2-384
@@ -130,6 +131,7 @@ derivation is enabled; currently only available with ed25519 keys.`,
 				Default: "sha2-256",
 				Description: `Hash algorithm to use (POST body parameter). Valid values are:
 
+* sha1
 * sha2-224
 * sha2-256
 * sha2-384
diff --git a/helper/keysutil/consts.go b/helper/keysutil/consts.go
index 738a381f19..59142a399a 100644
--- a/helper/keysutil/consts.go
+++ b/helper/keysutil/consts.go
@@ -1,6 +1,7 @@
 package keysutil
 
 import (
+	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/sha512"
 	"hash"
@@ -9,8 +10,9 @@ import (
 type HashType uint32
 
 const (
-	_                        = iota
-	HashTypeSHA2224 HashType = iota
+	_                     = iota
+	HashTypeSHA1 HashType = iota
+	HashTypeSHA2224
 	HashTypeSHA2256
 	HashTypeSHA2384
 	HashTypeSHA2512
@@ -26,6 +28,7 @@ const (
 
 var (
 	HashTypeMap = map[string]HashType{
+		"sha1":     HashTypeSHA1,
 		"sha2-224": HashTypeSHA2224,
 		"sha2-256": HashTypeSHA2256,
 		"sha2-384": HashTypeSHA2384,
@@ -33,6 +36,7 @@ var (
 	}
 
 	HashFuncMap = map[HashType]func() hash.Hash{
+		HashTypeSHA1:    sha1.New,
 		HashTypeSHA2224: sha256.New224,
 		HashTypeSHA2256: sha256.New,
 		HashTypeSHA2384: sha512.New384,
diff --git a/helper/keysutil/policy.go b/helper/keysutil/policy.go
index 38b988bb74..4a0d9cbfb7 100644
--- a/helper/keysutil/policy.go
+++ b/helper/keysutil/policy.go
@@ -1142,6 +1142,8 @@ func (p *Policy) Sign(ver int, context, input []byte, hashAlgorithm HashType, si
 
 		var algo crypto.Hash
 		switch hashAlgorithm {
+		case HashTypeSHA1:
+			algo = crypto.SHA1
 		case HashTypeSHA2224:
 			algo = crypto.SHA224
 		case HashTypeSHA2256:
@@ -1293,6 +1295,8 @@ func (p *Policy) VerifySignature(context, input []byte, hashAlgorithm HashType,
 
 		var algo crypto.Hash
 		switch hashAlgorithm {
+		case HashTypeSHA1:
+			algo = crypto.SHA1
 		case HashTypeSHA2224:
 			algo = crypto.SHA224
 		case HashTypeSHA2256:
diff --git a/website/source/api/secret/transit/index.html.md b/website/source/api/secret/transit/index.html.md
index 88f596adbf..412a5bb89f 100644
--- a/website/source/api/secret/transit/index.html.md
+++ b/website/source/api/secret/transit/index.html.md
@@ -799,6 +799,7 @@ supports signing.
   own hash algorithm). This can also be specified as part of the URL.
   Currently-supported algorithms are:
 
+    - `sha1`
     - `sha2-224`
     - `sha2-256`
     - `sha2-384`
@@ -877,6 +878,7 @@ data.
 - `hash_algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use. This
   can also be specified as part of the URL. Currently-supported algorithms are:
 
+    - `sha1`
     - `sha2-224`
     - `sha2-256`
     - `sha2-384`