Ssl – Why are CA root certificates all SHA-1 signed (since SHA-1 is deprecated)

certificate-authoritysslssl-certificate

I understand that SSL certs cannot be signed using SHA-1 anymore. Yet, all CA root certificates are SHA-1 signed (mostly). Does it mean the same algorithm that is no longer trusted for "you grandma SSL shop" is fine for the uttermost top secured certificate of the world?

Am I missing something? (key usage? key size?)

Best Answer

The signature of the root CA certificates do not matter at all, since there is no need to verify them. They are all self-signed.

If you trust a root CA certificate, there’s no need to verify its signature. If you don’t trust it, its signature is worthless for you.

Edit: there are some very relevant comments below. I don’t feel comfortable copying or rephrasing them and taking credit for them instead of their authors. But I welcome people to add explanations to this answer.

Related Solutions

Apache – Client Certificate Authentication Guide

sometimes u need to add a SSLCertificateChainFile option in your apache2.conf.

For example, we use SureServer for our SSL certificates. Sometimes browsers to not contain the full tree for the SSL certificate andu need to supply the missing piece:

SSLEngine On
SSLCertificateFile ...
SSLCertificateKeyFile ...
SSLCertificateChainFile /etc/apache2/sureserverEDU.pem

So u probably need to add your 3rd party CA there.

If I recall correctly rapidSSL has a chain file (RapidSSL_CA_bundle.pem)

Windows – IIS no longer trusts any CAs for client authentication

I've faced the same problem, I finally figured out the site was working correctly, but was tricked by the openssl message (which is just negotiation)

The correct steps are:

Set IIS SSL bindings up correctly
netsh http show sslcert and copy the values
Overwrite server SSL certificate binding with netsh http update sslcert ipport=0.0.0.0:443 certhash=.... appid=.... sslctlstorename=ClientAuthIssuer clientcertnegotiation=enable (or netsh http delete followed with the netsh http add)
Verified that settings were applied with netsh http show sslcert
(Windows 2012 R2 only) Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerList to 1

The clientcertnegiotiation is needed to show the list to browsers/openssl, with it disabled a well configured client can still send the correct certificate.

Best Answer

Related Solutions

Apache – Client Certificate Authentication Guide

Windows – IIS no longer trusts any CAs for client authentication

Related Topic