locked
SSL Certificate Signed Using Weak Hashing Algorithm RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I'm facing a vulnerability on servers,"

    SSL Certificate Signed Using Weak Hashing Algorithm". 

    Kindly suggest me proper solution for this, how we patch this vulnerability.
    Tuesday, August 23, 2016 7:37 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    There's a marked answer from this same forum here on this topic.  The answerer to that post states:

    "The hash algorithm used by a CA is determined by a registry key - once re-configured the CA signs anything using the new algorithm. See instructions in this article.

    If this is a Root CA you need to renew this CA's certificate so that you only use SHA-2 in your hierarchy. If there are more levels in your hierarchy all the CAs would need to be re-configured and renewed.

    Note that the CA also signs CRLs using the new algorithm. So in case your CA had issued certificates that are validated by applications that don't understand SHA-2 and in case those apps. check CRLs those applications would fail. The recommended practice is to setup a new PKI hierarchy in parallel that uses only the new algorithm and keep the existing hierarchy as a fallback for 'legacy certificates' until you have tested all applications and devices."

    Reference: https://social.technet.microsoft.com/Forums/en-US/4d6bfb04-cada-4a68-92a0-a5b5f7d1baf1/migrate-sha1-hash-algorithm-ssl-certificates-to-sha2?forum=winserversecurity

    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Amy Wang_ Monday, September 5, 2016 3:32 AM
    • Marked as answer by Amy Wang_ Monday, September 12, 2016 2:54 AM
    Tuesday, August 23, 2016 11:24 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    There's a marked answer from this same forum here on this topic.  The answerer to that post states:

    "The hash algorithm used by a CA is determined by a registry key - once re-configured the CA signs anything using the new algorithm. See instructions in this article.

    If this is a Root CA you need to renew this CA's certificate so that you only use SHA-2 in your hierarchy. If there are more levels in your hierarchy all the CAs would need to be re-configured and renewed.

    Note that the CA also signs CRLs using the new algorithm. So in case your CA had issued certificates that are validated by applications that don't understand SHA-2 and in case those apps. check CRLs those applications would fail. The recommended practice is to setup a new PKI hierarchy in parallel that uses only the new algorithm and keep the existing hierarchy as a fallback for 'legacy certificates' until you have tested all applications and devices."

    Reference: https://social.technet.microsoft.com/Forums/en-US/4d6bfb04-cada-4a68-92a0-a5b5f7d1baf1/migrate-sha1-hash-algorithm-ssl-certificates-to-sha2?forum=winserversecurity

    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Amy Wang_ Monday, September 5, 2016 3:32 AM
    • Marked as answer by Amy Wang_ Monday, September 12, 2016 2:54 AM
    Tuesday, August 23, 2016 11:24 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    In addition, here are some official articles below regarding migrating CA/PKI’s Has Algorithm which might be useful to you:

    SHA-1 Deprecation and Changing the Root CA’s Hash Algorithm

    https://blogs.technet.microsoft.com/askpfeplat/2015/03/15/sha-1-deprecation-and-changing-the-root-cas-hash-algorithm/

    SHA1 Key Migration to SHA256 for a two tier PKI hierarchy

    https://blogs.technet.microsoft.com/askds/2015/10/26/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy/

    Best Regards,

    Amy

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Todd Heron Monday, September 5, 2016 12:48 PM
    Wednesday, August 24, 2016 10:21 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Is further assistance required at the moment?

    Best Regards,

    Amy

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 5, 2016 3:32 AM