SSL Decryption not working in chrome

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Decryption not working in chrome

L1 Bithead

Trying to configure SSL Decryption and googled this to no end.

I have an Enterprise CA, created the cert with that, I can see that the GPO's have deployed to the cert to the users.
In my testing I only have decryption turned on for one user.

 

Internet Explorer works fine as best I can tell it's not even noticing.

Chrome on the other hand is not amuzed. I cannot go to a single https site they all seem to give the same error NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

 

Subject: *.facebook.com

Issuer: 192.168.15.10

Expires on: Jun 22, 2018

Current date: Jun 8, 2017

PEM encoded chain:

-----BEGIN CERTIFICATE-----
... <assuming this is the cert from the site>...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... <cert from the PA>...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... <cert from the CA>...
-----END CERTIFICATE-----

 

Banging my head against the wall here to trying to figure out what is missing

1 accepted solution

Accepted Solutions

@DaleK,

Just FYI, we found that it was easier to spin up a specific SHA2 CA and keep the existing SHA1 CA around at the same time. If you issue certificates to your machines and/or users and can't easily migrate everything over to a new cert easily, that might be an 'effective' solution until everything that users a cert for authentication is gradually migrated. 

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

It sounds like your trying to use a SHA-1 cert. IE isn't going to explain but pretty much everything else at this point is. 

L7 Applicator

The CA cert, which you imported to the firewall, could it possibly be that this is an SHA1 certificate?

--> you need a cert with SHA256 signature algorithm

 

Edit: too late ...

 

@BPry 😉

Ok so i double checked when i made the request on the PA i left it with the defaults that were not sha1 i think it was 2048... So is it something on the CA and the template it used that would have done that?

RSA2048 is the key algorithm used for the private/public key pair. The signature is another dropdown field in the PA WebUI. And because SHA1 is no longer a secure algorithm because it was sucessfully cracked about 2 months ago chrome does not let you open this website.

 

Theoretically this algorithm was already known unsecure many years ago ... but there was no (known) successful attack till this year

So I just tried another request and it still only gave me a sha1

 

could my CA just be retarted somehow?

 

request.PNGcert.PNG

NM found it... yea never migrated my CA off sha1.... yay more fun...

 

Thank you all for the help

@DaleK,

Just FYI, we found that it was easier to spin up a specific SHA2 CA and keep the existing SHA1 CA around at the same time. If you issue certificates to your machines and/or users and can't easily migrate everything over to a new cert easily, that might be an 'effective' solution until everything that users a cert for authentication is gradually migrated. 

  • 1 accepted solution
  • 4833 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!