IIS TLS Certificate - Chrome says we are using "obsolete cryptography"

Question

We have installed a server certificate in IIS for a website. When browsing over HTTPS to the website and inspecting the icon using chrome, we get a message "Your connection ... is encrypted with obsolete cryptography".

How do I configure IIS so that Chrome stops displaying this message, also need to balance the need to support IE>=8.

[EDIT]: As per the screenshot, we can see that the encryption method used is "AES_256_CBC with SHA1 for message authentication". The question is how do we change this in IIS so that Chrome no longer complains about "Obselete Cryptography".

Answer 1

The answer Steffen gave is incorrect (although the link he provided does provide the answer if you read further down). The reason Chrome gives the error regarding obsolete cryptography in this case is due to AES in CBC mode.

It has nothing to do with having a SHA-1 certificate.

The TL;DR - ignore this error, it doesn't matter.

If you really want to get rid of the error then you need to enable AES GCM instead. However this is easier said than done. I answered this in full on serverfault recently - see the second half of my answer here;

https://serverfault.com/questions/683697/change-key-exchange-mechanism-in-iis-8/683705#683705

Answer 2

Since am new to SSL and certificates, I struggled with this too. Here's how we solved this issue. Note that in our case, we are working with an internal web application and use a self-signed certificate.

1. Using OpenSSL on Linux, create a private key:
   openssl genrsa -out box.key 2048
2. Then create and sign a certificate with the key (we set the expire date for a year out and 10 days):
   openssl req -new -x509 -sha256 -days 375 -key box.key -out box.crt
3. Answer the questions (make sure the Common Name matches the web server's FQDN)
4. Configure your web server to use SSL using this key and certificate
5. Using Chrome on Windows, enter your web sites HTTPS URL
6. Click on the lock icon in the address bar, then select the Certificate Information link in the popup
7. Go to the Details tab, select the Copy to File... button to launch the Certificate Export Wizard
8. Using the wizard, select PKCS #7 as the export format, and save the certificate (i.e. mykey.p7b)
9. Install the certificate in the Trusted Root Certification Authorities certificate store (use certmgr.msc or right click on the certificate and select Install Certificate
10. Close Chrome, logout and re-login to Windows (force the old site warning out of the cache)
11. Re-open Chrome and enter your web sites HTTPS URL
12. Admire your shiny green lock icon with modern cryptography

Answer 3

You might want to read https://www.chromium.org/Home/chromium-security/education/tls#TOC-Deprecation-of-TLS-Features-Algorithms-in-Chrome, which was the first hit when looking for this specific error message.

It is hard to know for sure without having a look at your certificate, but I guess the following description from the linked page will match your certificate:

SHA-1 is deprecated in Chrome at the start of 2015. Certificates expiring in 2016 will be marked as "secure, but with minor errors". Certificates expiring in 2017 are later will be treated as "affirmatively insecure".