SSL Visibility - Getting browser warning when resigning CA cert is signed with SHA-1 algorithm

book

Article ID: 168896

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

A certificate resigning policy is in place, but the browser shows a warning related to the  SHA-1 hash algorithm and certificate expiration in 2017 or later. The following is an example:

User-added image

Cause

The re-signing intermediate CA certificate uses the SHA-1 hash algorithm and expires after January 1, 2017.

Many major browsers are phasing out SHA-1 support and issue a warning:

Google chrome:
https://googleonlinesecurity.blogspot.cz/2014/09/gradually-sunsetting-sha-1.html

Mozilla:
https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/

 

Resolution

Create a new resigning CA certificate that is signed with SHA-256 or SHA-384 or SHA-512 algorithm.

Workaround

N/A

Attachments