AnsweredAssumed Answered

Weak Signature Algorithm in Bundle

Question asked by Cred Sucheck on Dec 16, 2019
Latest reply on Dec 16, 2019 by Keith Shaw

We buy our certs from Godaddy and run a server that requires us to combine the server cert and the provided bundle that Godaddy provides in the zip file when we download the cert. 

 

A vulnerability scan of the site is flagging for "SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)".

The following known CA certificates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak.  |-Subject             : C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority |-Signature Algorithm : SHA-1 With RSA Encryption |-Valid From          : Jun 29 17:06:20 2004 GMT |-Valid To            : Jun 29 17:06:20 2034 GMT

Using openssl and looking at all the certs that are in the file, all use sha256WithRSAEncryption except the last. The last one is using the weak Signature Algorithm.

 

I'm trying to understand how to fix this.  The bundle has three certs in it, can I just omit the last one (the one with the weak algorithm?  Not sure if I should be including all the certs  in the bundle or not?  I can provide the full file with all certs in there if it helps. 

Outcomes