AnsweredAssumed Answered

Question about Cross-Signing

Question asked by Vincent Lynch on Jun 2, 2015
Latest reply on Jun 2, 2015 by Adm Selec

Hi,

 

I have a question regarding the below server configuration and cross-signed certificates.

 

We know that the configuration pictured can cause issues for modern devices; where a device could prefer the SHA1 chain over the SHA2 chain when both roots are trusted and thus report errors related to SHA1. This is due to the way that Thawte (and other CAs) have cross signed their certificates, and due to the way that some software creates the chain.

 

However my question is: now that the old 1024-bit roots (highlighted in the photo below) are no longer trusted by Firefox or Windows, would this issue now be resolved?

 

I am thinking that Windows and Firefox would avoid/ignore that chain because it links back to an untrusted root?

 

 

 

questionabouttrustchain.PNG

Outcomes