06-08-2017 01:35 PM
Trying to configure SSL Decryption and googled this to no end.
I have an Enterprise CA, created the cert with that, I can see that the GPO's have deployed to the cert to the users.
In my testing I only have decryption turned on for one user.
Internet Explorer works fine as best I can tell it's not even noticing.
Chrome on the other hand is not amuzed. I cannot go to a single https site they all seem to give the same error NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
Subject: *.facebook.com
Issuer: 192.168.15.10
Expires on: Jun 22, 2018
Current date: Jun 8, 2017
PEM encoded chain:
-----BEGIN CERTIFICATE-----
... <assuming this is the cert from the site>...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... <cert from the PA>...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... <cert from the CA>...
-----END CERTIFICATE-----
Banging my head against the wall here to trying to figure out what is missing
06-09-2017 05:37 AM
Just FYI, we found that it was easier to spin up a specific SHA2 CA and keep the existing SHA1 CA around at the same time. If you issue certificates to your machines and/or users and can't easily migrate everything over to a new cert easily, that might be an 'effective' solution until everything that users a cert for authentication is gradually migrated.
06-08-2017 01:57 PM
It sounds like your trying to use a SHA-1 cert. IE isn't going to explain but pretty much everything else at this point is.
06-08-2017 01:59 PM - edited 06-08-2017 02:01 PM
The CA cert, which you imported to the firewall, could it possibly be that this is an SHA1 certificate?
--> you need a cert with SHA256 signature algorithm
Edit: too late ...
@BPry 😉
06-08-2017 02:32 PM
Ok so i double checked when i made the request on the PA i left it with the defaults that were not sha1 i think it was 2048... So is it something on the CA and the template it used that would have done that?
06-08-2017 02:43 PM - edited 06-08-2017 02:51 PM
RSA2048 is the key algorithm used for the private/public key pair. The signature is another dropdown field in the PA WebUI. And because SHA1 is no longer a secure algorithm because it was sucessfully cracked about 2 months ago chrome does not let you open this website.
Theoretically this algorithm was already known unsecure many years ago ... but there was no (known) successful attack till this year
06-08-2017 03:13 PM
So I just tried another request and it still only gave me a sha1
could my CA just be retarted somehow?
06-08-2017 03:26 PM
NM found it... yea never migrated my CA off sha1.... yay more fun...
Thank you all for the help
06-09-2017 05:37 AM
Just FYI, we found that it was easier to spin up a specific SHA2 CA and keep the existing SHA1 CA around at the same time. If you issue certificates to your machines and/or users and can't easily migrate everything over to a new cert easily, that might be an 'effective' solution until everything that users a cert for authentication is gradually migrated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
