NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM - IIS SSL Certificate

-

In this post, I descibe how to fix the error:

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

which can occur after you create a self-signed SSL certificate for an HTTPS binding in an IIS web site when you try to access that site in a modern browser such as Chrome or Edge:

Screenshot of error NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM in Google Chrome

This is a follow up to my previous post:
Mismatched Address certificate error - HTTPS localhost IIS

Cause

If you followed the steps in my previous post, the certificate is created with the certificate signature algorithm PKCS #1 SHA-1 With RSA Encryption:

Screenshot of certificate signature algorithm PKCS #1 SHA-1 With RSA Encryption

In 2017, SHA-1 was proven insecure and thus Chrome and Edge flag it as not secure.


Resolution

The New-SelfSignedCertificate cmdlet includes a HashAlgorithm parameter which can be set to SHA-256.  This can easily be added to the PowerShell script from my previous post as follows: 

$rootcertname = "ROOT"
$certname = "localhost"
 
# Create the root certificate
$rootcert = New-SelfSignedCertificate `
                -Type "Custom" `
                -KeyExportPolicy "Exportable" `
                -Subject "$rootcertname" `
                -CertStoreLocation "Cert:\LocalMachine\My" `
                -KeySpec "Signature" `
                -KeyUsage "CertSign" `
                -HashAlgorithm "SHA256" `
                -NotAfter(Get-Date).AddDays(10000)
 
# Get the root certificate thumbprint
$thumb = $rootcert.Thumbprint
 
# Create the SSL certificate using the thumbprint of the root certificate
New-SelfSignedCertificate `
    -Type "Custom" `
    -KeyExportPolicy "Exportable" `
    -Subject "CN=$certname" `
    -DnsName "$certname" `
    -CertStoreLocation "Cert:\LocalMachine\My" `
    -KeySpec "KeyExchange" `
    -HashAlgorithm "SHA256" `
    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") `
    -Signer "Cert:LocalMachine\My\$thumb" `
    -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
    -NotAfter (Get-Date).AddDays(10000)
 
# You can't create the root certificate directly in the Trusted Root Certification Authorities store, so export it to a file
Export-Certificate `
    -Cert "Cert:\LocalMachine\my\$thumb" `
    -FilePath "C:\Users\sysadmin\Desktop\$rootcertname.cer"
 
# Then import that file into the Trusted Root Certification Authorities store
Import-Certificate `
    -CertStoreLocation "Cert:\LocalMachine\Root" `
    -FilePath "C:\Users\sysadmin\Desktop\$rootcertname.cer"

(change the certname to your local machine name if desired)

As before, select this certificate in your web site HTTPS binding in IIS:

Screenshot of SSL certificate selection in an HTTPS binding in IIS

The site should now display in a modern browser such as Chrome or Edge without the NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM error:

Screenshot of IIS web site root page over HTTPS without a certificate error

Related Posts

- The hostname in the website’s security certificate differs from the website you are trying to visit.

- How to create a self-signed public certificate - Powershell

Comments

Post a Comment

Popular posts from this blog

LG TV This app will now restart to free up more memory

-
Image
This post describes how to fix the error "This app will now restart to free up more memory" which can occur when using apps such as Netflix on an LG TV after just a few minutes of use. Resolution To resolve the issue, unplug the TV then press the on/off button for 10 seconds.  Wait a further 20 seconds then plug the TV back in and turn it back on. Apps should now run without the error. Edit: The on/off button on my LG TV is directly under the standby light on the bottom of the TV. Edit: I didn't have to do this myself but one person who has left a comment said that clearing all browsing data worked for them.  I have written a post explaining how to do this: LG TV Clear All Browsing History Data . Edit: A few other people have also suggested turning off quick start in settings (and if it's already off, turn it on then off again).  I have written a post explaining how to do this: LG TV turn off Quick Start in settings Related Posts -  LG TV delete/rem...
Read more

What is the "W" light on a Steelseries keyboard?

-
Image
This post describes what the light marked "W" on a Steelseries Apex keyboard is. This is the fourth light in the row located in the top right corner of the keyboard, next to the Scroll Lock "S" light. The "W" light on a Steelseries Apex Keyboard This light indicates that the Windows key has been disabled.  So, when you're gaming, if you accidentally press the Windows key, you will stay in the game instead of being taken to the Windows desktop. How to turn the "W" light on or off? The "W" light on a Steelseries Apex keyboard can be turned on or off by pressing and holding the special Steelseries function key down, then pressing the Windows key. Related Posts -  Steelseries Sensei Ten squeaky scroll wheel
Read more

Excel Import CSV not using "Use First Row as Headers"

-
Image
Issue When importing a CSV file into Microsoft Excel, you may find that it is not using "Use First Row as Headers" so you end up with Column1, Column2 etc as headers. Resolution To resolve this issue, press the Transform Data button in the bottom right. This loads the Power Query Editor which includes the "Use First Row as Headers" option in the Home ribbon.  Press this option once. Press Close & Load to apply. The first row is now being used as headers: Related Posts - Open a Microsoft Excel spreadsheet xlsx file as read only
Read more