Certificate Authority generates a certificate on IIS 6 running on Windows Server 2008 R2 that uses weak encryption in Chrome and FireFox

1

My organization has our own Certificate Authority (CA) on one of our Windows Server 2008 R2 machines and a local intranet website that uses SSL. My predecessor created a certificate in 2016 that does not meet requirements of Chrome and FireFox now. Since then that certificate has expired and has not been renewed. I renewed the certificate and installed it into the Trusted Root Certification Authorities on the remote computer and FireFox and Chrome now claim that the certificate is invalid. FireFox says it uses weak encryption and Chrome just says it's invalid without reason ... but says the certificate is ok on the Certificate Details screen (?).

The Certificate Authority is being handled by Windows Server 2008 R2 through IIS 6 at the moment.

My question is how can I configure IIS and the certificate to meet these requirements?

Certificate located in C:/Windows/System32/certsrv/CertEnroll

X509 Certificate:
Version: 3
Serial Number: 6464d31bb0aeefa44bea96fe13c****
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Issuer:
    CN=*******

 NotBefore: 11/11/2016 9:30 AM
 NotAfter: 11/11/2021 9:40 AM

Subject:
    CN=******

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
    Algorithm Parameters:
    05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
    0000  30 82 01 0a 02 82 01 01  00 bb 58 5d e8 11 4f 57
    0010  aa 37 3a 21 af 8e ab 20  24 36 6f f6 6e c9 6b d9
    0020  d7 10 7f e4 e6 26 0c ee  e0 67 41 bd 0d 4d 2c 1c
    0030  56 ec 20 7a 80 5d bc f9  ed 8d a9 4d d9 ac b6 f7
    0040  24 18 2f 19 ae 35 d9 f3  a6 0a 1a 76 c3 07 c2 bb
    ******************
Certificate Extensions: 4
    2.5.29.15: Flags = 0, Length = 4
    Key Usage
        Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signin
g (86)

    2.5.29.19: Flags = 1(Critical), Length = 5
    Basic Constraints
        Subject Type=CA
        Path Length Constraint=None

    2.5.29.14: Flags = 0, Length = 16
    Subject Key Identifier
        a9 ab c3 52 50 8d 20 07 17 2d a0 7f 9d a9 ******

    1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3
    CA Version
        V0.0

Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000  1e b8 e5 7e 93 d4 e4 1c  5b 23 12 14 b3 44 14 cb
    0010  1a 22 a1 ab 7d 2e 72 2c  af 20 76 0b d5 93 02 58
    0020  d7 44 85 76 5d 97 c5 58  ba 48 53 e7 ab e8 f6 e2
    0030  15 a8 90 6b 53 bd 9f 04  54 b0 a0 07 94 89 f5 01
    0040  74 bc e9 0c 03 98 52 89  f6 5d 53 7a 42 ae 70 43
    ***************
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(rfc-sha1): a9 ab c3 52 50 8d 20 07 17 ********
Key Id Hash(sha1): 17 52 93 4f ea 7d 37 58 df 80 e3 a8 ********
Cert Hash(md5): 88 8f 26 47 51 73 25 8a 3d d8 56 ********
Cert Hash(sha1): e2 fb 4e 43 b7 2e 35 00 fa 7b a8 8c ******
CertUtil: -dump command completed successfully.

Braden

Posted 2019-12-17T18:53:34.077

Reputation: 11

What are you using to generate the root certificate authority? Edit your question instead of submitting a comment. If you are using OpenSSL then you should identify what version you are running. Additionally, if you are using OpenSSL, you should identify what ciphers you are using and any other details about the certificate itself. – Ramhound – 2019-12-17T18:55:49.777

Run certutil.exe <certificate file> (for both the CA cert and the web server cert) and paste the output into your question (redact some details if you feel the need). Without details, it is very difficult to say what's wrong. – garethTheRed – 2019-12-17T19:45:08.823

@Ramhound I updated my initial post. – Braden – 2019-12-17T20:29:28.197

@Braden - How did you generate the certificate. You have not really provided the information required to help you. The certificate and the RA certificate both must be added to the Firefox certificate store in order to work with that browser. Likewise, the both certificates, must be added to the operating system's certificate store in order to be used by Chrome. Providing this information in the event you don't already know it. – Ramhound – 2019-12-17T20:34:40.790

@garethTheRed I have dumped the certificate that is located in the CertEnroll folder – Braden – 2019-12-17T20:39:10.487

@Ramhound My apologies...I'm learning as I go and trying to answer everything. The certificate was generated using the Certificate Authority role on Windows Server. I believe I am missing a certificate then. I only have the one certificate that I downloaded from <ServerName>/certsrv and added to the Trusted Root Certification Authorities location in mmc.exe. Which two certificates should exist on the operating system's side? – Braden – 2019-12-17T20:48:53.903

@Braden - You should read Steffen's answer as it's applicable to your situation. – Ramhound – 2019-12-17T22:57:21.107

Answers

0

Your certificate has nearly no effect on the encryption used. The cipher suites configured in your (unknown) web server are instead responsible for this and the certificate has only a small effect which cipher suites are available (i.e. RSA certificates need ciphers with RSA authentication).

Based on this it makes no sense to get a "stronger" certificate. Instead you should configure your web server to support the stronger cipher suites, specifically ban all ciphers with RSA key exchange or at least decrease their priority.

As for the strength of the certificate itself which is relevant for the authentication: you need to use a strong public key (at least 2048 bit if you stay with RSA) and at least SHA-256 as signature algorithm.

Steffen Ullrich

Posted 2019-12-17T18:53:34.077

Reputation: 3 897

My apologies for not being clear. This is rather new to me and I am learning as I go. We are running IIS 6 on Windows Server 2008 R2. The intranet site is being hosted on IIS – Braden – 2019-12-17T20:31:36.360

https://www.howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/

So...my hunch is since ours says not configured that would be the cause of the "weak encryption". I'll configure it and see if that resolves the error.

– Braden – 2019-12-17T21:17:32.233

No change. Still the same errors in Chrome and FireFox. The technical details in FireFox lists Broken Encryption (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 256 bit keys, TLS 1.0) – Braden – 2019-12-17T22:26:11.057

@Braden - You need to stop using a certificate that supports TLS 1.0, it's considered insecure by all browsers, so any client will consider the site to be insecure. Suspect you might have better luck with OpenSSL and simply import the certificate that is generated. – Ramhound – 2019-12-17T22:59:26.250

@Ramhound TLS 1.0 isn't even installed on the server is the odd part....I'm not sure why the browser is saying that. Is maybe the certificate configured wrong? I'm really at a loss as this is all new to me. - I'll also read that other comment you mentioned. I think I did but I'll read through it more in depth. – Braden – 2019-12-17T23:24:57.347

Asked: 2019-12-17T18:53:34.077

Viewed: 43 times

Active: 2019-12-17T21:03:59.347