locked
SSL Certificate Signed Using Weak Hashing Algorithm RRS feed

  • Question

  • Hi,

    I'm facing a vulnerability on servers,"

    SSL Certificate Signed Using Weak Hashing Algorithm". 

    Kindly suggest me proper solution for this, how we patch this vulnerability.

    Tuesday, August 23, 2016 7:37 AM

Answers

  • There's a marked answer from this same forum here on this topic.  The answerer to that post states:

    "The hash algorithm used by a CA is determined by a registry key - once re-configured the CA signs anything using the new algorithm. See instructions in this article.

    If this is a Root CA you need to renew this CA's certificate so that you only use SHA-2 in your hierarchy. If there are more levels in your hierarchy all the CAs would need to be re-configured and renewed.

    Note that the CA also signs CRLs using the new algorithm. So in case your CA had issued certificates that are validated by applications that don't understand SHA-2 and in case those apps. check CRLs those applications would fail. The recommended practice is to setup a new PKI hierarchy in parallel that uses only the new algorithm and keep the existing hierarchy as a fallback for 'legacy certificates' until you have tested all applications and devices."

    Reference: https://social.technet.microsoft.com/Forums/en-US/4d6bfb04-cada-4a68-92a0-a5b5f7d1baf1/migrate-sha1-hash-algorithm-ssl-certificates-to-sha2?forum=winserversecurity


    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Amy Wang_ Monday, September 5, 2016 3:32 AM
    • Marked as answer by Amy Wang_ Monday, September 12, 2016 2:54 AM
    Tuesday, August 23, 2016 11:24 AM

All replies

  • There's a marked answer from this same forum here on this topic.  The answerer to that post states:

    "The hash algorithm used by a CA is determined by a registry key - once re-configured the CA signs anything using the new algorithm. See instructions in this article.

    If this is a Root CA you need to renew this CA's certificate so that you only use SHA-2 in your hierarchy. If there are more levels in your hierarchy all the CAs would need to be re-configured and renewed.

    Note that the CA also signs CRLs using the new algorithm. So in case your CA had issued certificates that are validated by applications that don't understand SHA-2 and in case those apps. check CRLs those applications would fail. The recommended practice is to setup a new PKI hierarchy in parallel that uses only the new algorithm and keep the existing hierarchy as a fallback for 'legacy certificates' until you have tested all applications and devices."

    Reference: https://social.technet.microsoft.com/Forums/en-US/4d6bfb04-cada-4a68-92a0-a5b5f7d1baf1/migrate-sha1-hash-algorithm-ssl-certificates-to-sha2?forum=winserversecurity


    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Amy Wang_ Monday, September 5, 2016 3:32 AM
    • Marked as answer by Amy Wang_ Monday, September 12, 2016 2:54 AM
    Tuesday, August 23, 2016 11:24 AM
  • Hi,

    In addition, here are some official articles below regarding migrating CA/PKI’s Has Algorithm which might be useful to you:

    SHA-1 Deprecation and Changing the Root CA’s Hash Algorithm

    https://blogs.technet.microsoft.com/askpfeplat/2015/03/15/sha-1-deprecation-and-changing-the-root-cas-hash-algorithm/

    SHA1 Key Migration to SHA256 for a two tier PKI hierarchy

    https://blogs.technet.microsoft.com/askds/2015/10/26/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy/

    Best Regards,

    Amy


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Todd Heron Monday, September 5, 2016 12:48 PM
    Wednesday, August 24, 2016 10:21 AM
  • Hi,

    Is further assistance required at the moment?

    Best Regards,

    Amy


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 5, 2016 3:32 AM