NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM - IIS SSL Certificate
In this post, I descibe how to fix the error:
NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
which can occur after you create a self-signed SSL certificate for an HTTPS binding in an IIS web site when you try to access that site in a modern browser such as Chrome or Edge:
Mismatched Address certificate error - HTTPS localhost IIS
Cause
If you followed the steps in my previous post, the certificate is created with the certificate signature algorithm PKCS #1 SHA-1 With RSA Encryption:
In 2017, SHA-1 was proven insecure and thus Chrome and Edge flag it as not secure.
Resolution
The New-SelfSignedCertificate cmdlet includes a HashAlgorithm parameter which can be set to SHA-256. This can easily be added to the PowerShell script from my previous post as follows:
$certname = "localhost"
-Subject "$rootcertname" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeySpec "Signature" `
-KeyUsage "CertSign" `
-HashAlgorithm "SHA256" `
-NotAfter(Get-Date).AddDays(10000)
$thumb = $rootcert.Thumbprint
-Subject "CN=$certname" `
-DnsName "$certname" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-HashAlgorithm "SHA256" `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") `
-Signer "Cert:LocalMachine\My\$thumb" `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-NotAfter (Get-Date).AddDays(10000)
# You can't create the root certificate directly in the Trusted Root Certification Authorities store, so export it to a file
Export-Certificate `
-Cert "Cert:\LocalMachine\my\$thumb" `
-FilePath "C:\Users\sysadmin\Desktop\$rootcertname.cer"
-CertStoreLocation "Cert:\LocalMachine\Root" `
-FilePath "C:\Users\sysadmin\Desktop\$rootcertname.cer"
(change the certname to your local machine name if desired)
As before, select this certificate in your web site HTTPS binding in IIS:
The site should now display in a modern browser such as Chrome or Edge without the NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM error:
Related Posts
- The hostname in the website’s security certificate differs from the website you are trying to visit.
- How to create a self-signed public certificate - Powershell
Comments
Post a Comment