SHA-1 Root Certificate – PCI Scanner Error

All major web browsers ceased acceptance of SHA-1 in 2017.

Why then might you be receiving a warning from your server that a Certificate is in SHA-1?

What is a PCI scanner?

In order to reduce credit card fraud, the major credit card companies released a universal set of regulations — the Payment Card Industry Data Security Standard (PCI DSS).

These are to standardize how companies should handle the security of their client’s information.

So, a PCI Scanner checks that a company’s computer systems and IT equipment adhere to the PCI DSS and provides a report on any vulnerabilities found.

SHA-1 warning message

Sometimes, a PCI scan will report an error stating that there is a problem with the Root CA Certificate being used by the SSL certificate.

An example of a result can be seen below:

THREAT:
A known CA SSL certificate in the certificate chain has been signed using a weak hashing algorithm.

RESULT:
The following known CA certificates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak.

|-Subject : C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

|-Signature Algorithm : SHA-1 With RSA Encryption

SOLUTION:
Contact the Certificate Authority to have the certificate reissued.

IMPACT:
The remote service uses a known CA certificate in the SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g., MD2, MD4, MD5, or SHA1).

These signature algorithms are known to be vulnerable to collision attacks.

An attacker can exploit this to generate another certificate with the same digital signature, allowing the attacker to masquerade as the affected service.

Why you can ignore this error message

Looking at the details in the results, you will notice that the error is with the intermediate certificate.

This is a false positive as while it is correct that the hash algorithm used is SHA-1, the distrust of SHA-1 mentioned in the very last sentence only pertains to the SSL certificate (public key) and not the root certificate which the error is pointing to.

Furthermore, the root certificate only serves to point the SSL certificate to the issuing Certificate Authority (CA) — it is not involved in the encryption of information at all.

All encryption is handled by the SSL certificate (public key).

Note that this reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable.

This is in accordance with Google’s gradual sunsetting of the SHA-1 cryptographic hash algorithm.

You can find Google’s article on it here:
security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html

Sectigo (formerly known as Comodo CA) are already aware that their root certificate (AddTrust External CA Root) is SHA-1.

However, since it is a root certificate, it can still be safely utilized by SSL certificates; thus they have made it publicly available on their website:
sectigo.com/resources/sectigo-root-intermediate-certificate-files

They also have an information page regarding the SHA-1 root CA certificate available since all their SSL certificates (including certificates issued today) will use this same root certificate:
support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ

The issue and resolving it has also been discussed in forums for most platforms, such as the examples below:
forums.cpanel.net/threads/cpanel-comodo-service-ssl-certificate-fails-pci.635237/

forums.aws.amazon.com/thread.jspa?threadID=282132

All Trustico and Sectigo SSL certificates issued (new, renewal and reissue) still use the same root certificate that is mentioned.

To resolve this false positive, the scanning company will usually need to be contacted to assure them it’s not a problem as the error relates to the root CA certificate and not the SSL certificate itself.