Are SHA-1 client certificates now unsupported? RRS feed

  • Question

  • I'm aware that SHA-1 server certificates that chain to Root CA certificates within Microsoft's Trusted Programme are unsupported by Edge and IE11 on Windows 10, as of a couple of years ago.

    We have an IIS web farm hosting our ASP.NET systems. The server uses a root certificate that, while was generated using SHA-1, is not part of the Trusted Programme and therefore has no problem when being used to connect to it securely; the problem is that some of our applications require smartcard authentication, which as soon as they're prompted to enter the PIN, Edge/IE11 kills the connection.

    It's as if Edge/IE11 won't allow the transmission of SHA-1 based certificates.

    One strange caveat to this is that if I force IE11 to use only deprecated TLS versions (i.e. TLS 1.0) then it works, in that the smartcard certificate is transmitted and used to authenticate. If I force IE11 to use TLS 1.2 then it fails.

    Using certutil I'm able to determine that the smartcard client certificate was generated using SHA-1 and is also signed by the Root CA certificate used on the server.

    IE11 works perfectly fine from Windows 7, so I assume the security policy only affects W10 versions.

    Did I miss an announcement that this would also affect client certificates? The original announcement made it clear this would not be the case (taken from a Microsoft blog)

    How will SHA-1 client authentication certificates be impacted?

    The mid-2017 update will not prevent a client using a SHA-1 signed certificate from being used in client authentication.

    Thursday, November 14, 2019 8:36 AM