AnsweredAssumed Answered

Cert path shows SHA256withRSA or better, report still flags for SHA1

Question asked by Don Meyer on Sep 26, 2014
Latest reply on Oct 15, 2014 by Don Meyer

We just upgraded our first of many SHA1-signed certs, and were a bit surprised to find the test still flagging this first site for SHA1.  The bar at top indicates:

 

"Intermediate certificate uses SHA1. Upgrade to SHA256 as soon as possible to avoid browser warnings."

 

The Certificate path shows:

Path #1: Trusted
1  Sent by server site-maint.itcs.illinois.edu 
SHA1: 97d05205c0fab70e05dae1f2362e99f8008f1942
  RSA 2048 bits / SHA256withRSA 
2  Sent by server InCommon RSA Server CA 
SHA1: f4f26a16d4b913cf3208e664e3dd384e56ce77af
  RSA 2048 bits / SHA512withRSA 
3  Sent by server USERTrust RSA Certification Authority 
SHA1: eab040689a0d805b5d6fd654fc168cff00b78be3
  RSA 4096 bits / SHA384withRSA 
4  Sent by server 
In trust store
AddTrust External CA Root 
SHA1: 02faf3e291435468607857694df5e45b68851868
  RSA 2048 bits / SHA1withRSA 
Weak or insecure signature, but no impact on root certificates

 

 

The CA Root still shows as SHA1withRSA - is that tripping the indication?  I wouldn't have thought so given the "no impact" caveat...

 

We do still have SHA1 intermediate certs in our chained-bundle on the server, to support other sites yet to be updated.  Is the mere presence of an additional SHA1 cert in the bundle provided by the server enough to flag for SHA1?    I would think that if the certificate path is fully SHA256 or better down to the CA Root, it would pass as SHA256.

 

(NOTE:  If you retest, use "d-web-l.itcs.uiuc.edu" .  The main/top is a SAN cert.)

Outcomes