NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM - IIS SSL Certificate

In this post, I descibe how to fix the error:

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

which can occur after you create a self-signed SSL certificate for an HTTPS binding in an IIS web site when you try to access that site in a modern browser such as Chrome or Edge:

Screenshot of error NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM in Google Chrome

This is a follow up to my previous post:
Mismatched Address certificate error - HTTPS localhost IIS

Cause

If you followed the steps in my previous post, the certificate is created with the certificate signature algorithm PKCS #1 SHA-1 With RSA Encryption:

Screenshot of certificate signature algorithm PKCS #1 SHA-1 With RSA Encryption

In 2017, SHA-1 was proven insecure and thus Chrome and Edge flag it as not secure.


Resolution

The New-SelfSignedCertificate cmdlet includes a HashAlgorithm parameter which can be set to SHA-256.  This can easily be added to the PowerShell script from my previous post as follows: 

$rootcertname = "ROOT"
$certname = "localhost"
 
# Create the root certificate
$rootcert = New-SelfSignedCertificate `
                -Type "Custom" `
                -KeyExportPolicy "Exportable" `
                -Subject "$rootcertname" `
                -CertStoreLocation "Cert:\LocalMachine\My" `
                -KeySpec "Signature" `
                -KeyUsage "CertSign" `
                -HashAlgorithm "SHA256" `
                -NotAfter(Get-Date).AddDays(10000)
 
# Get the root certificate thumbprint
$thumb = $rootcert.Thumbprint
 
# Create the SSL certificate using the thumbprint of the root certificate
New-SelfSignedCertificate `
    -Type "Custom" `
    -KeyExportPolicy "Exportable" `
    -Subject "CN=$certname" `
    -DnsName "$certname" `
    -CertStoreLocation "Cert:\LocalMachine\My" `
    -KeySpec "KeyExchange" `
    -HashAlgorithm "SHA256" `
    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2") `
    -Signer "Cert:LocalMachine\My\$thumb" `
    -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
    -NotAfter (Get-Date).AddDays(10000)
 
# You can't create the root certificate directly in the Trusted Root Certification Authorities store, so export it to a file
Export-Certificate `
    -Cert "Cert:\LocalMachine\my\$thumb" `
    -FilePath "C:\Users\sysadmin\Desktop\$rootcertname.cer"
 
# Then import that file into the Trusted Root Certification Authorities store
Import-Certificate `
    -CertStoreLocation "Cert:\LocalMachine\Root" `
    -FilePath "C:\Users\sysadmin\Desktop\$rootcertname.cer"

(change the certname to your local machine name if desired)

As before, select this certificate in your web site HTTPS binding in IIS:

Screenshot of SSL certificate selection in an HTTPS binding in IIS

The site should now display in a modern browser such as Chrome or Edge without the NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM error:

Screenshot of IIS web site root page over HTTPS without a certificate error

Related Posts

- The hostname in the website’s security certificate differs from the website you are trying to visit.

- How to create a self-signed public certificate - Powershell

Comments

Popular posts from this blog

LG TV This app will now restart to free up more memory

LG TV Clear All Browsing History Data

Excel Import CSV not using "Use First Row as Headers"