AnsweredAssumed Answered

PCI fail: SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)

Question asked by Michael Ward on Oct 16, 2018
Latest reply on Oct 18, 2018 by StjepanSusnjar

I've been in IT for a while, but I'm fairly new to PCI compliance.

 

One of the errors my scan is failing  on is: SSL Certificate Signed Using Weak Hashing Algorithm (Known CA) 

 

The server seems to show 2 trusted certification paths.The only certificate that's not SHA256 is the last one at the bottom. Of course that's the Certification Authority certificate, so the fact that it's SHA1 shouldn't matter. See: PCI DSS scan failed - Help - Let's Encrypt Community Support 

 

 

 

 

 

Or is there something else wrong?

 

I notice that the fingerprint in no.3 is different in both chains. Could that be anything?

 

Can I disable IIS sending the CA certificate (no. 4) as per Schoen's comment on March 6th here: 

PCI DSS scan failed - Help - Let's Encrypt Community Support  ? (IIS 8.5)

Outcomes