SSL/TLS Certificates - Old Sha-1 AAA Root CA results in Weak Signature or Algorithm constraints check failed errors
Issue: Various errors result from InCommon/Sectigo issued SSL/TLS certificates that have an old AAA Root CA signed with the Sha-1 algorithm
- Errors:
- java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
- Error: Provided certificate <cert file name> using the weak signature algorithm. Please provide the strong signature algorithm certificate.
- Error occurred while fetching tls: Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate
- uses unsafe digest algorithm
dir-cli failed. Error 90022: Certificate's signature algorithm is weak - References: VMWare vSphere & vCenter v. 8.x: https://knowledge.broadcom.com/external/article?legacyId=90281 https://knowledge.broadcom.com/external/article?legacyId=89424
- Etc.
- Cause:
- Certificates requested here through the Server Certificates Service and issued by InCommon/Sectigo are cross signed
- There are 2 paths through the certificate chain through Intermediate Certificates to the Root Certificate Authorities
- One of the paths contains a total of 4 certificates, 2 intermediates and a Root CA cert for AAA Certificate Services, which is an older certificate expiring in 2028, but is signed using the old Sha-1 algorithm. Reference: Trust Chain Path B detailed in this Sectigo Knowledge Base article.
- The Sha-1 certificate remains for compatibility reasons, as there are many older clients that might not have the newer Root CA certificates installed, especially if the client is incapable of or has been restricted from downloading new Root CA certs.
- The other path contains a total of 3 certificates, 1 intermediate and a Root CA cert for USERTrust RSA Certification Authority signed using a Sha-2 algorithm (sha384WithRSAEncryption)
- Certain clients appear not capable of navigating, or exploring multiple certification paths and choosing for themselves which path is the best and most secure for them. This results in some clients throwing an error. Most browser clients have the highest compatibility, capability and error handling, while programmatic clients inside of Java, and command line clients like curl and wget might have a lower level of compatibility, capability and error handling.
- Solution:
- Force the client to use the shorter path by removing the AAA certificate from the chain file altogether.
- Download using the link titled "as Certificate (w/ chain), PEM encoded"
- Check the existing file:
openssl crl2pkcs7 -nocrl -certfile <certfilename> | openssl pkcs7 -print_certs -noout
(prints a little bit of info about each cert in the chain)
openssl verify -verbose -purpose sslserver <certfilename>
(should return an OK at the end) - Then in the <certfilename> file, delete the first certificate in it's entirety, including the BEGIN CERTIFICATE and END CERTIFICATE sections
- First line will be: MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
- Last line will be: smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
- Save that file, and check it again:
openssl crl2pkcs7 -nocrl -certfile <certfilename_edit> | openssl pkcs7 -print_certs -noout
(prints a little bit of info about each cert in the chain)
openssl verify -verbose -purpose sslserver <certfilename_edit>
(should return an OK at the end) - Note: this example was checked with OpenSSL 3.1.4
AAA Sha-1 Certificate to remove:
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----