Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why do i have a wrong (sha1) immediate startcom certificate in my chain on azure website?

My immediate certificate on https://paper-shape.com got a weak signature algorithm SHA1: https://www.ssllabs.com/ssltest/analyze.html?d=paper-shape.com

I followed theses instructions. I created my pfx file both per OpenSSL and per certificate export wizard.

The CRT and pem (immediate certificate from startcom) seem to be ok, because the following command shows "Signature Algorithm: sha256WithRSAEncryption" on both (CRT and PEM):

$ openssl x509 -text -in paper-shape.com.crt

Either something went wrong during my pfx creation process or azure website overrules my immediate certificate.

Has anybody an idea?

like image 203
Harry Avatar asked Jan 10 '15 18:01

Harry


2 Answers

Check your locally-installed certificates (on Windows, 'certmgr.msc'). You may have an old SHA-1-signed copy of the StartCom intermediate certificate which is still valid (say, to 2017) and being used in preference to that provided by the server.

like image 50
GreenReaper Avatar answered Oct 13 '22 06:10

GreenReaper


You can find (and chain) the SHA-256 intermediate certificate for Class-1 in PEM format, here: https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem

like image 36
Itzhak Daniel Avatar answered Oct 13 '22 05:10

Itzhak Daniel