HTTPS SSL Certificate Signed using Weak Hashing Algorithm

Similar Messages

• A fix for the Mozilla Firefox SSL Certificate Validation Security Weakness vulnerability? This appears to be an issue with not revalidating certificates when loading HTTPS pages from cache.

  We have to close vulnerabilities for PCI & Cybertrust certification. We have upgraded users running Firefox to version 7.0.1 but we are still receiving the message: Mozilla Firefox SSL Certificate Validation Security Weakness. Researching the issue, it appears to be related to certificates not being revalidated when loading HTTPS pages from cache. The bug report I found is:
  Bug 660749 - Firefox doesn't (re)validate certificates when loading a HTTPS page from the cache

  cookies.squite answer is Today at 5:15 PM .
  New profile, same problem.
  We've already established it is not a add-ons problem but obviously there will be less add-ons in this new profile to help exclude.
  Since there is two PC profiles on the PC, I tried the second profile, same problem. Used the RESET FF function on the second PC profile...same thing...even followed the instruct for uninstall &re-install...same problem.
  (3) different virus scanners, no hard core problems.
  Suspect how I have something in Windows setup that no one else is using?

• What kind of SSL Certificate to use on Profile Manager?

  I would like to get my SSL CSR signed to use it with Profile Manager, but on the CA's website it asks me what kind of SSL Certificate I need giving me these options: 
  <option value=1>AOL</option>
                        <option value=2>Apache-ModSSL</option>
                        <option value=3>Apache-SSL (Ben-SSL, not Stronghold)</option>
                        <option value=4>C2Net Stronghold</option>
                        <option value=33>Cisco 3000 Series VPN Concentrator</option>
                        <option value=34>Citrix</option>
                        <option value=5>Cobalt Raq</option>
                        <option value=6>Covalent Server Software</option>
                        <option value=29>Ensim</option>
                        <option value=32>HSphere</option>
                        <option value=7>IBM HTTP Server</option>
                        <option value=8>IBM Internet Connection Server</option>
                        <option value=9>iPlanet</option>
                        <option value=10>Java Web Server (Javasoft / Sun)</option>
                        <option value=11>Lotus Domino</option>
                        <option value=12>Lotus Domino Go!</option>
                        <option value=13>Microsoft IIS 1.x to 4.x</option>
                        <option value=14>Microsoft IIS 5.x to 6.x</option>
                        <option value=35>Microsoft IIS 7.x and later</option>
                        <option value=15>Netscape Enterprise Server</option>
                        <option value=16>Netscape FastTrack</option>
                        <option value=17>Novell Web Server</option>
                        <option value=18>Oracle</option>
                        <option value=30>Plesk</option>
                        <option value=19>Quid Pro Quo</option>
                        <option value=20>R3 SSL Server</option>
                        <option value=21>Raven SSL</option>
                        <option value=22>RedHat Linux</option>
                        <option value=23>SAP Web Application Server</option>
                        <option value=24>Tomcat</option>
                        <option value=25>Website Professional</option>
                        <option value=26>WebStar 4.x and later</option>
                        <option value=27>WebTen (from Tenon)</option>
                        <option value=31>WHM/CPanel</option>
                        <option value=28>Zeus Web Server</option>
                        <option value=-1>OTHER</option>
  which one should I use?

  If the Certificate is already on your Mac, you can examine it in the "Keychain Access" application.  What they are asking you is who issued the Certificate.  If you do not see the Issuer listed, try "Other".

• SSL Certificate CSR using SH1

  Is it possible to generate CSR using SH1 instead of md5 on Cisco 1841 for SSL VPN, because the provider that I try to use doesn't accept md5. Also tried to import there private key and got an error "Error: invalid PEM boundary" any help would be appreciated

  Well, I have run into the same issue. I'm trying to generate a CSR (certificate signing request) on a Cisco 2821 running IOS 12.4(15)T8 with a SHA signature because StartSSL does not accept CSR's with a MD5 signature anymore.
  According to me the 'hash sha1' command within the crypto pki trustpoint should do the trick, but apparently not. The CSR that is generated is still not accepted by StartSLL claiming it is still signed with a MD5 hash.
  So: How to generate a CSR with a SHA signature?

• SSL certificate and use?

  Hi,
  some time ago I've become aware of the presence of an SSL certificate for for the Arch homepage.
  Unfortunately Firefox tells me that the site "Contains unauthenticated content". And if I try to visit the forum, wiki or AUR (with https://...), then I get redirected to the Arch homepage.
  Is there a particular reason that on the one hand the infrastructure for SSL/https seems to be there, but on the other hand is not complete (in case of the Arch homepage) and not extended to the forum, wiki, and the AUR?
  And if SSL is not intended to be used for the sub domains of archlinux.org, how are the login-processes for the forum/wiki/AUR handled/secured?
  I ask mainly because of paranoia and secondly out of curiosity.

  cactus wrote:The ssl cert was purchased long ago (and recently renewed) for www.archlinux.org only.
  It is not a 'wildcard' ssl cert like you sometimes see, which would allow for *.archlinux.org (likely due to cost).
  It's been a while, but the situation has slightly changed, and I've also gained a bit of experience about PKIs, so I wanted to propose an idea.
  As I've seen today, the ssl certificate for www.archlinux.org seems to have expired, because it's no longer there and has been replaced by a self-signed certificate for dev.archlinux.org.
  As you're not using officially signed certs any longer, you could also do the following:
  You could start your own certificate authority, make one certificate for each domain {aur,bbs,wiki,dev,bugs,www,etc}.archlinux.org, and sign each of these with your own root-cert. Then you would only have to spread the public key of your root cert, and every signed cert of yours would be recognized and accepted by the users.
  I've found a really well-written howto here, and I've already tested it within my local network.
  Once the root cert has been imported/accepted on the client system, all signed certs will be accepted, too. And if you ever wanted to get an officially signed cert, you would only need to have your root cert signed (e.g. by CAcert). But that is only an assumption, as I don't have any experience how to get signed by an official institution.
  Or you could also ship your root cert with the installation iso, similar to Ubuntu shipping the public pgp-keys of their package-managers with there installation isos.
  This is of course only a suggestion, but as I think everyone should be aware of the importance of encrypted and signed communication, and in the end everyone would benefit from it.
  I'm pretty interested in everyone's feedback. Maybe there's even one who has experience about other distros and how they've handled that problem.

• Certificate Authority certificate issued with incorrect hash algorithm

  Hi all,
  We have a certificate authority which was migrated from Server 2003 to 2008R2, the issue is that after running this command:
  certutil -setreg ca\csp\CNGHashAlgorithm sha256
  to upgrade the CA to SHA256, we renewed the CA certificate but the certificate still renewed using SHA1. The cryptographic settings in the CA properties dialog box says SHA256 however the certificate is issued using SHA1. Here is the image:
  Any pointers to how we can reissue CA certificate with SHA256 algorithm?
  Thanks,
  Ojas

  [Puneet Singh] What i feel is that your initial key which was generated was CAPI based that might be the reason you might be facing the problem.
  Try to do the things in below sequence.
  certification authority’s system, you will need to run the following commands from an elevated command line window:
   certutil -setreg ca\csp\CNGHashAlgorithm SHA256
  net stop certsvc
  net start certsvc
  Make sure you are  using a Key Storage Provider that supports SHA256 – for example the Microsoft Key Storage Provider -
  and then renew the certification authority’s certificate.
   if you have the CAPI provider or you are CAPI based key  then you have to convert it to CNG key and use certutil
  repair so that  it does start using the CNG key.
  Puneet Singh

• Wildcard HTTPS/SSL Certificates

  Is the entire SGD4.5 stack compatible with wildcard certificates? Not the just the webserver portion, but also the SGD applet security

  Wildcard certs are for the Webserver and AIP. SGD Applet (TCC Helper) should be covered under this.
  http://docs.sun.com/source/820-6689/chapter1.html#d0e3289
  Make sure it's from a supported CA or you will have extra config to do
  http://docs.sun.com/source/820-6689/chapter1.html#Z40000061441383
  Why do you ask?

• Migrate SHA-1 Hash Algorithm SSL certificates to SHA-2

  HI All,
  I am hearing the news that SHA-1 certificates will be soon phased out on Chrome and Microsoft platforms. I am Ok with replacing public certificates with SHA-2 certificates.
  But I see that our internal certificates are also issued with SHA-1 algorithm. And these SSL certificates are used in LAN to access internal sites. So Do I need to get internal certificates reissued with SHA-2(256)? If so what do I need to make the
  changes on CA server to use SHA-2 algorithm.
  Thanks in advance.
  Mahi

  On 9/20/2014 1:28 AM, "Paul Adare [MVP]" wrote:
  On Sat, 20 Sep 2014 06:24:23 +0000, mahi_tweak wrote:
  Could you please let me know w.r.t to phase out of SHA1, is it required to take action for Internal (private) CA servers as well?
  Currently no. All of the current SHA1 deprecation notices from Microsoft
  apply only to public root CAs that are part of the Microsoft Trusted Root
  program.
  You should start planning to migrate your internal CAs however. At some
  point in time I think you'll find that all SHA1 certificates will be
  deprecated.
  Paul - does IE have the logic built in to know when a cert has been issued by an internal CA so that it does not flag it as unsafe? The way I see it is this is all pointless to have legacy SHA1 in your environment if the browser cant distinguish one from
  the other.
  This depends somewhat on what version of IE you are using. I urge anyone who is stuck with an older version to modernize ASAP.
  I also recommend CA servers also be the latest version. Like Paul said, SHA-1 has been deprecated and the new SHA-2 is the new flavor of the week.
  Being cynical, seems that too many problems come from suspicious efforts to make the system secure in the first place.
  Please don't pay attention to anything Vegan Fanatic has to say on this topic as he is clearly out of his depth here and has no idea what he's talking about.
  IE does not itself do certificate validation, that is passed off the certificate chaining engine that is built into the Windows OS. When the date arrives that SHA1 SSL and code signing certificates issued by roots in the Microsoft Trusted Root program are
  no longer accepted arrives, determining whether the certificate being validated chains to an internal or an external root will be determined by the certificate chaining engine and not directly by IE.
  The last sentence above makes no sense at all, and SHA2 is not "the new flavour of the week".

• Server 3 / SSL Certificate / Open Directory - Problem!

  We've updated from Server 2 to Server 3 / OS X 10.9.
  We have an SSL certificate for server from Comodo.
  Under Server 2, all worked just fine, with the SSL certificate being used to secure all services (configure via Server app).
  Under Server 3, all works just fine, but Open Directory will not accept certificate - so Certificates / Settings in Server 3 app shows "Custom Configuration" for Settings - and on inspecting this it is because Open Directory set to be not secured but everything else is using SSL.
  I've tried setting the Open Directory to use the SSL, but when ever I do it simply bounces back to being unsecured.
  Does this matter?  Presumably it should be possible (as the standard setting appears to try and set Open Directory to use the SSL certificate), but not sure whether trying to fix is simply a fools errand.
  Anyone got any clues as to whether to fix or not, and if to fix, how?
  Thanks in advance.

  Have you check to see that the certificate is indeed "Trusted" by your server?
  Above, you stated that they're in the etc/certificates folder, but that doesn't mean that the server likes them.  You can create a "Self Signed" Certificate and still have certificates in there.  That doesn't mean that anyone else on the planet has to trust them.
  Open Keychain Access in your utilities folder.  Depending on how you have it configured, you may have to look around to find the certificate in question.  It may be under login, or System. 
  When you select your Certificate, if it's there, does it show as trusted?
  Another thing you can check...  Often times Certificate authories, use Intermdeiate certificates.  Since anyone can sell a certificate, in order to have it trusted, you need to have it signed by someone else.  A good example is Godaddy.  They sell both SSL and Code signing certificates of all flavours.  In order to get them to be trusted, the "Intermediate Certificate" needs to also be installed in the keychain.  My Godaddy cert looks to be trusted by Verisign via an intermediate.
  Have a look here...  https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid =1182
  Not sure if it's directly relevant, but there it is.
  The point is, I think you need to verify that your certificate is trusted by your server.  OD won't use an untrusted certificate. 
  --an afterthought--  Anything in the logs?
  Open up your server window where you try to select the certificate for OD.  Also, in another window open up the terminal.  In terminal, type:
  tail -f /var/log/system.log
  In the server window try to select the certificate and click done.  See what the output in terminal says.

• SSL Certificate question (minor issue)

  I have a Windows 2012 server setup with RDS.  I have about 10 virtual machines already setup - my whole VDI infrastructure.  Everything is working fine - accessing the vm's internally and externally, however, I have issues w/the certificate.
  I am using a self-signed certificate (until I can my client to pay for a real SSL cert).
  I have created an A record for my DNS at my hosting company that points to my public IP (e.g. remote.mycompany.com instead of typing in the IP address), the port forwarding on my router kicks in and sends the https traffic to my RD Gateway (my Windows 2012)
  and the user will see the RDWeb page and can log in from there.  The cert is pointed to remote.mycompany.com too.  However, my server is called vdi-remote2.mycompany.com.  Naturally, when using IE to access the RDWeb page, their address bar
  in IE will be red with the cert error/warning.
  First they are greeted with the "There is a problem with this website's security certificate" and will click on continue to the this website.  Upon inspection of the certificate, it will say "This CA Root certificate is not trusted.  To
  enable trust, install this certificate in the Trusted Root Certification Authorities store."  Ok, I can install it (and have), but I still get the red address bar in my IE.
  Needless to say, I'd like to clean this all up.  The users are non-technical people and when they see this stuff, they freak out.  We know what it all means - we're technical folks, but I'd like to clean it all up and just have it nice and security.
   Green or no address bar when using https in the address bar.
  How can I clean this all up though when I have external users accessing https://remote.mycompany.com/rdweb and internal users accessing https://vdi-remote2/rdweb.  I don't recall the possibility to have two certs for one website (the RDWeb).  So,
  I'm a bit confused on all this cert stuff.  I could keep everything as is and just train the users, but I'd rather not.
  Thank you in advance for your reply.

  Hi Steve,
  Thanks for your comment.
  Yeah, your understanding is correct as you have commented that “Things are working, but ONLY after I install the cert in the trusted root certification authorities store.”
  Trusted certificate is required for RDS server.
  I would like to suggest you that first of all certificate must be placed in (local computer)/Personal Store, and the
  certificate must be signed by trusted authority. Please check below link which state that “If the RD Gateway server is configured to use a Secure Sockets Layer (SSL) certificate that is not signed by a trusted
  certification authority, users might be unable to connect to internal network resources (computers) through the RD Gateway server. “ 
  RDS: RD Gateway must be configured to use an SSL certificate signed by a trusted certification authority
  You may export your certificate (and its private key) to a .pfx file using the Certificates mmc snapin.  By that way you can use the .pfx file for the RDS Role Services.
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  For your comment “One user was having issues.  Once I installed the cert on her computer, she has no more issues logging in and launching a remote session. “, I can say that if the issue is mostly due to certificate only then
  if you will purchase trusted authority certificate then as per my knowledge you’re all problem regarding login and certificate will be solved.
  More information:
  1. Configuring RDS 2012 Certificates and SSO
  2. RD Web Access Web site to use a trusted certificate
  (Thread might helpful to understand)
  Hope it helps!
  Thanks,
  Dharmesh

• Creating SSL certificate and configuring it with JBOSS 4.0.1

  I have to post some data to a secured site from my application.
  For this, I am creating connection to that site using URLConnection and to send data I create OutputStream using the connection.
  But, while creating the stream it is showing SSLException and message is No trusted certificate found.
  For this, I need to create SSL certificate (mostly using keytool command) and configure it with my application server which is JBOSS 4.0.1
  Now, my problem is that I don't know the exact steps to create a certificate and configure it with JBOSS. Please provide the steps in detail.

  I think you have this back to front. Unless this exception came from the server, in which case it is misconfigured, you don't have to create a certificate, you have to import the server's certificate, or that of one of its signers, into the client's truststore, and tell Java where the truststore is if it's in a non-standard location.
  See http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html. You'll have to ask about the JBoss part in a JBoss forum.

• Changing SSL certificate for ICM

  Hello,
  I'd like to change SSL certificate for ICM service. I've change it in STRUST, but when I run web browser, server sends old one. IT is very odd, that ICM still works after deleteing all "SSL Server" certificates in STRUST. I tried to restart whole SAP system, but it did not help.
  Is there any possibility to change working certificate? What should I do to make such change?

  > I often use transaction SMICM -> Administration -> ICM -> Exit soft to restart only the ICM without interrupting the whole SAP system.
  > You should increase the ICM trace level, restart it and look at the trace file to try to find out what's wrong.
  OK, ICM runs properly now. I have no idea why, as I did not change anything. Maybe "soft restart" invoked few times helped.
  > Of course. In my company we use our own internal CA for intranet use and Verisign for internet use.
  > (for internet use the certificate in on the reverse proxy in the DMZ).
  Here I've got another problem.
  I've started with something simple. STRUST->SSL server->Create Certificate Request. My CA has signed this request. Now, when I'm trying to install signed certificate, I got an error "Cannot import certificate response".
  As my CA is not signed by any well known CA e.g. VeriSign), I've added my CAs certificate to SAP database (as root CA and server CA), butit did not help.
  In SSL server, I've got "(self signed)" below "own certif." field and I cannot change it
  If it's not a big problem, could you write down, what should I do to install external SSL certificate signed by not well-known CA.
  Many thanks for your help,
  regards,
  Konrad

• Godaddy SSL certificate on weblogic

  Hello,
  Recentally I purchased ssl certificate from godaddy, they send me 2 files (mydomain.crt) and (gd_bundle.crt).
  now I don't know how to create .pem file just to complete the installation. below the instruction I did.
  - keytool -genkey -alias client -keyalg RSA -keysize 2048 -keystore identity.jks -storepass password -keypass password
  - keytool -certreq -keyalg RSA -keysize 2048 -alias client -file certreq.csr -keystore identity.jks -storepass password
  here when I enter this I get an error ( keytool error: java.io.FileNotFoundException: CertChain.pem (No such file or directory not found). so how to create the CertChain.pem from the files I got from godaddy.
  - keytool -import -file CertChain.pem -alias client -keystore identity.jks -storepass password
  - keytool -import -file rootCA.cer -alias RootCA -keystore trust.jks -storepass password
  Keytool –list –v –keystore <keystore-name> -storepass <keystore-password>

  I found out how to install godaddy ssl certificate on weblogic follow the link below.
  http://coreygilmore.com/blog/2009/06/02/install-a-go-daddy-ssl-certificate-for-use-with-jboss-or-the-bes-5-bas/
  but I still get This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

• Hash algorithms for passwords.

  Hello!
  I have those question.
  When I store password in database I can use any hash algorithms.
  But if I would use local database and start my application on another computer values after hashing will be the same or not?
  For example :
  string password = "admin";
  int passwordToDb = password.GetHashCode(); // this value I save in db.
  On another computer, when I will verify my password and calculate hash, it wouldn't be the same? I guess that not.
  And what about SHA algorithms? Will I have such problem?

  Use MD5 encryption :
  /// <summary>
          /// Hasher la chaîne en MD5
          /// </summary>
          /// <param name="chaine">La chaîne à hasher.</param>
          /// <returns>La chaîne hashée.</returns>
          public static String hashWithMD5(String chaine)
              //L'objet MD5.
              MD5 md5HashAlgo = MD5.Create();
              //le résultat.
              StringBuilder resultat = new StringBuilder();
              //Tableau d'octes pour le hashage.
              byte[] byteArrayToHash = Encoding.UTF8.GetBytes(chaine);
              //Hasher la chaîne puis placer le résultat dans le tableau.
              byte[] hashResult = md5HashAlgo.ComputeHash(byteArrayToHash);
              //Parcourir le tableau pour le mettre dans le résultat.
              for (int i = 0; i < hashResult.Length; i++)
                  //Afficher le Hash en hexadecimal.
                  resultat.Append(hashResult[i].ToString("X2"));
              //Retourner le résultat.
              return resultat.ToString();

• SSL Certificate and SSL Authentication

  Hi-
  I'm hoping someone can shed some light on this issue.
  First off, is there a difference between SSL Certificate and SSL Authentication?
  I have a POP account. The Incoming port is set to 110. The Outgoing, 26. (This is according to Bluehost.com). The security settings for both incoming/outgoing are set to none. Everything works fine.
  But if I want extra security, I'll set the incoming to 995 and outgoing to 465.
  If I set the security settings to SSL, do I check "Use secure authentication", or do I have to purchase a SSL certificate to secure the authentication? This is where I'm confused. I tried asking the hosting company but they're not much help.
  Any advice would be appreciated.
  Thanks!

  Hi Imagine,
  You do not need to purchase your own SSL certificate to use secure authentication. The server handles this for you. You just need to make sure the port #s are correct and you simply check mark the SSL boxes and leave authentication on Password at least on most setups. Each host maybe different so you have to double check with them.
  Hope That Helps,
  Eric