X
Tap here to go to the mobile version of the site.

Support Forum

Windows PKI certificates not trusted due to disabled insecure algorithm.

Posted

Hi there,


I appear to have a similar issue to this user: https://support.mozilla.org/en-US/questions/1174634 Except that I am using a Server 2016 CA, my cryptography is ECC P-384 and SHA-384 which is acceptable according to section 5.1 of: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#maintenance

All certificates issued to websites on my network get the "Your connection is not secure" and the reason as: "sec_error_cert_signature_algorithm_disabled"

IE has no issue with these certs and trusts them and the cert appears the same in both browsers.

Is this a Firefox setting? How can I find out what algorithm it has the problem with?

I have tested this in Firefox 44.0.2 and 60.2 which are the two versions we use, no difference in either.

EDIT: I can confirm that nothing is intercepting my traffic and that the cert presented is the cert I'm expecting, unlike others who've had the same error.

Any help is appreciated.


Regards,

Alex

Hi there, I appear to have a similar issue to this user: https://support.mozilla.org/en-US/questions/1174634 Except that I am using a Server 2016 CA, my cryptography is ECC P-384 and SHA-384 which is acceptable according to section 5.1 of: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#maintenance All certificates issued to websites on my network get the "Your connection is not secure" and the reason as: "sec_error_cert_signature_algorithm_disabled" IE has no issue with these certs and trusts them and the cert appears the same in both browsers. Is this a Firefox setting? How can I find out what algorithm it has the problem with? I have tested this in Firefox 44.0.2 and 60.2 which are the two versions we use, no difference in either. EDIT: I can confirm that nothing is intercepting my traffic and that the cert presented is the cert I'm expecting, unlike others who've had the same error. Any help is appreciated. Regards, Alex

Modified by meshuggener

Chosen solution

I have managed to solve this issue with support from Mozilla.

The issue was when building my PKI root and sub CAs I enabled the 'AlternateSignatireAlgorithms = 1' in the CAPolicy.inf.

This changed the format of the certs I was issuing into a format that Firefox (and not much else) doesn't support. Namely above where IE sees the signature algorithm as "specifiedECDSA" when it should be "sha384ECDSA" and where in FF the "Algorithm Parameter" field wasn't empty like it's supposed to be according to RFC5758 3.2. "the encoding MUST omit the parameters field".

To resolve this I went through all my CAs and changed the flag to 0 in the CAPolicy.inf and modified the registry setting under: HKLM\SYSTEM\CurrentControlSet\Services\Certsvc\Configuration\CANAMEHERE\CSP And then renewed and resigned all certs.

I also posted on Technet to get some confirmation: https://social.technet.microsoft.com/Forums/en-US/eec01ac5-8524-42ac-b2d0-5d3722e077b8/alternatesignaturealgorithm-enabled-on-root-and-sub-cas-causing-issues?forum=winserversecurity

Read this answer in context 0

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

More Information

jscher2000
  • Top 10 Contributor
8194 solutions 67036 answers

Hi Alex, the only signature algorithm I know to be disabled in more recent versions of Firefox is SHA-1. If you inspect your certificate in another browser and check not only the website's cert but the signing cert(s) in the chain, do any of them use SHA-1?

Hi Alex, the only signature algorithm I know to be disabled in more recent versions of Firefox is SHA-1. If you inspect your certificate in another browser and check not only the website's cert but the signing cert(s) in the chain, do any of them use SHA-1?

Question owner

Hi there,


I can confirm that the rootCA, subCA and the end cert are all SHA-384.

In Firefox:

Certificate Signature Algorithm Algorithm Identifier Object Identifier (1 2 840 10045 4 3)


In IE11:

Signature Algorithm specifiedECDSA Signature Hash Algorithm sha384


The OID is this one: http://oid-info.com/get/1.2.840.10045.4.3

The only odd thing is the end cert is RSA whereas the root and sub CAs are ECC, I don't see how that could cause this however.


Regards,

Alex

Hi there, I can confirm that the rootCA, subCA and the end cert are all SHA-384. In Firefox: Certificate Signature Algorithm Algorithm Identifier Object Identifier (1 2 840 10045 4 3) In IE11: Signature Algorithm specifiedECDSA Signature Hash Algorithm sha384 The OID is this one: http://oid-info.com/get/1.2.840.10045.4.3 The only odd thing is the end cert is RSA whereas the root and sub CAs are ECC, I don't see how that could cause this however. Regards, Alex

Chosen Solution

I have managed to solve this issue with support from Mozilla.

The issue was when building my PKI root and sub CAs I enabled the 'AlternateSignatireAlgorithms = 1' in the CAPolicy.inf.

This changed the format of the certs I was issuing into a format that Firefox (and not much else) doesn't support. Namely above where IE sees the signature algorithm as "specifiedECDSA" when it should be "sha384ECDSA" and where in FF the "Algorithm Parameter" field wasn't empty like it's supposed to be according to RFC5758 3.2. "the encoding MUST omit the parameters field".

To resolve this I went through all my CAs and changed the flag to 0 in the CAPolicy.inf and modified the registry setting under: HKLM\SYSTEM\CurrentControlSet\Services\Certsvc\Configuration\CANAMEHERE\CSP And then renewed and resigned all certs.

I also posted on Technet to get some confirmation: https://social.technet.microsoft.com/Forums/en-US/eec01ac5-8524-42ac-b2d0-5d3722e077b8/alternatesignaturealgorithm-enabled-on-root-and-sub-cas-causing-issues?forum=winserversecurity

I have managed to solve this issue with support from Mozilla. The issue was when building my PKI root and sub CAs I enabled the 'AlternateSignatireAlgorithms = 1' in the CAPolicy.inf. This changed the format of the certs I was issuing into a format that Firefox (and not much else) doesn't support. Namely above where IE sees the signature algorithm as "specifiedECDSA" when it should be "sha384ECDSA" and where in FF the "Algorithm Parameter" field wasn't empty like it's supposed to be according to RFC5758 3.2. "the encoding MUST omit the parameters field". To resolve this I went through all my CAs and changed the flag to 0 in the CAPolicy.inf and modified the registry setting under: HKLM\SYSTEM\CurrentControlSet\Services\Certsvc\Configuration\CANAMEHERE\CSP And then renewed and resigned all certs. I also posted on Technet to get some confirmation: https://social.technet.microsoft.com/Forums/en-US/eec01ac5-8524-42ac-b2d0-5d3722e077b8/alternatesignaturealgorithm-enabled-on-root-and-sub-cas-causing-issues?forum=winserversecurity