AnsweredAssumed Answered

SHA256 cert showing as SHA1

Question asked by Bob Watson on Nov 18, 2014
Latest reply on Nov 20, 2014 by Dan Wilson

Hello Forum

 

I have a FreeBSD server running Apache 2.4 with OpenSSL and an SHA256 certificate. When I run an SSL Labs test I get an A+ score and the results for the certificates chain looks as follows:

 

pic1.png

 

I also have the Calomel SSL validation add-on installed in Firefox 33. When I browse my website on my FreeBSD/Apache/OpenSSL server I get a green shield and all is good as follows:

 

pic2.png

 

I have now moved my SHA256 SSL certificate from the FreeBSD server to a Windows Server 2012 R2 server with IIS. After doing this I now get a blue shield (using the Calomel SSL validation tool) and it says I am using SHA-1 for the MAC. (My certificate is definitely SHA256). When I check the certificate chain it looks like this after doing another SSL labs test:

 

 

pic3.png

So as you can see the certificate chain is identical between the two servers. Yet, when I browse the site again using Firefox and the Calomel SSL Validation tool I get a blue shield and a lower score:

 

pic4.png

 

The blue shield is due to the SSL validation tool detecting the use of SHA-1 (I assume) for the MAC. So my questions is:

 

Why is it when I browse a website with a SHA256 certificate on my FreeBSD server it shows the MAC as SHA256 but when I browse a website on the Windows Server 2012 R2 server using the exact same certificate and certificate chains it shows up as SHA-1? Am I missing something here?

 

Both SSL Lab tests I have run on the FreeBSD and Windows server return an A+ score.

 

Can anyone help please?

Outcomes