All geek questions in one place

Why do I have the wrong (sha1) immediate startcom certificate in my network on the azure site?

My immediate certificate https://paper-shape.com received a weak SHA1 signature algorithm: https://www.ssllabs.com/ssltest/analyze.html?d=paper-shape.com

I completed the thesis . I created a pfx file for both OpenSSL and each certificate export wizard.

CRT and pem (immediate certificate from startcom) look fine because the following command shows "Signature Algorithm: sha256WithRSAEncryption" on both (CRT and PEM):

$ openssl x509 -text -in paper-shape.com.crt

Either something went wrong during my pfx creation process, or my direct certificate was canceled on the azure website.

Does anyone have an idea?

+5
source share
3 answers

Verify your locally installed certificates (on Windows, "certmgr.msc"). You may have an old copy of the StartCom intermediate certificate signed by SHA-1, which is still valid (say, until 2017) and is used in comparison with the provided server.

+6
source

You can find (and link) the intermediate SHA-256 certificate for Class-1 in PEM format, here: https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca. pem

+5
source

I ran into the same problem, I was going to pull my hair out when the certificate seemed to be right in some browsers and OS, and in others it claimed that I used SHA-1 and even https://shaaaaaaaaaaaaa.com told me that I have a signed SHA-2 crt.

So! Here is a large thread on the StartCom forum on this issue: https://forum.startcom.org/viewtopic.php?f=15&t=15929&st=0&sk=t&sd=a

The fact is that the browser uses an intermediate crt signed by SHA-1.

Solution: you need to configure Intermadiate crt on your server!

Here you can see more detailed information: https://sslmate.com/blog/post/chrome_cached_sha1_chains

0
source

Source: https://habr.com/ru/post/1210811/

More articles:


All Articles