SSL/TLS Certificates - Old Sha-1 AAA Root CA results in Weak Signature or Algorithm constraints check failed errors

AAA Sha-1 Root CA Error and how to fix it

Issue: Various errors result from InCommon/Sectigo issued SSL/TLS certificates that have an old AAA Root CA signed with the Sha-1 algorithm

  • Errors:
    • java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
    • Error: Provided certificate <cert file name> using the weak signature algorithm. Please provide the strong signature algorithm certificate.
    • Error occurred while fetching tls: Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate
    • uses unsafe digest algorithm
      dir-cli failed. Error 90022: Certificate's signature algorithm is weak
    • References: VMWare vSphere & vCenter v. 8.x: https://knowledge.broadcom.com/external/article?legacyId=90281 https://knowledge.broadcom.com/external/article?legacyId=89424
    • Etc.
  • Cause:
    • Certificates requested here through the Server Certificates Service and issued by InCommon/Sectigo are cross signed
    • There are 2 paths through the certificate chain through Intermediate Certificates to the Root Certificate Authorities
    • One of the paths contains a total of 4 certificates, 2 intermediates and a Root CA cert for AAA Certificate Services, which is an older certificate expiring in 2028, but is signed using the old Sha-1 algorithm. Reference: Trust Chain Path B detailed in this Sectigo Knowledge Base article.
    • The Sha-1 certificate remains for compatibility reasons, as there are many older clients that might not have the newer Root CA certificates installed, especially if the client is incapable of or has been restricted from downloading new Root CA certs.
    • The other path contains a total of 3 certificates, 1 intermediate and a Root CA cert for USERTrust RSA Certification Authority signed using a Sha-2 algorithm (sha384WithRSAEncryption)
    • Certain clients appear not capable of navigating, or exploring multiple certification paths and choosing for themselves which path is the best and most secure for them. This results in some clients throwing an error. Most browser clients have the highest compatibility, capability and error handling, while programmatic clients inside of Java, and command line clients like curl and wget might have a lower level of compatibility, capability and error handling.
  • Solution:
    • Force the client to use the shorter path by removing the AAA certificate from the chain file altogether.
    • Download using the link titled "as Certificate (w/ chain), PEM encoded"
    • Check the existing file:
      openssl crl2pkcs7 -nocrl -certfile <certfilename> | openssl pkcs7 -print_certs -noout
      (prints a little bit of info about each cert in the chain)
      openssl verify -verbose -purpose sslserver <certfilename> 
      (should return an OK at the end)
    • Then in the <certfilename> file, delete the first certificate in it's entirety, including the BEGIN CERTIFICATE and END CERTIFICATE sections
      • First line will be: MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
      • Last line will be: smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
    • Save that file, and check it again:
      openssl crl2pkcs7 -nocrl -certfile <certfilename_edit> | openssl pkcs7 -print_certs -noout
      (prints a little bit of info about each cert in the chain)
      openssl verify -verbose -purpose sslserver <certfilename_edit> 
      (should return an OK at the end)
    • Note: this example was checked with OpenSSL 3.1.4

AAA Sha-1 Certificate to remove:

-----BEGIN CERTIFICATE-----

MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb

MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow

GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj

YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL

MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE

BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM

GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP

ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua

BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe

3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4

YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR

rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm

ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU

oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF

MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v

QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t

b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF

AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q

GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz

Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2

G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi

l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3

smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==

-----END CERTIFICATE-----



KeywordsAAA root ca algorithm error weak signature vmware vsphere vcenter sha-1 sha1 chain path server certificates ssl tls incommon comodo sectigo   Doc ID137926
OwnerPHILIP J.GroupSSL Server Certificates
Created2024-06-13 10:41:14Updated2024-06-24 15:10:14
SitesSSL Server Certificates
Feedback  0   0