Certificate is Signed Using a Weak Signature Algorithm
Description
The SSL/TLS certificate presented by this server uses a cryptographically weak signature algorithm (such as MD5 or SHA-1) that is vulnerable to collision attacks. Modern browsers and security standards have deprecated these algorithms because attackers can potentially forge certificates by exploiting mathematical weaknesses in the hashing functions.
Certificates signed with weak algorithms do not provide adequate assurance of authenticity and should be replaced with certificates using stronger signature algorithms like SHA-256 or SHA-384.
Remediation
Replace the current certificate with a new one signed using a strong cryptographic hash algorithm. Follow these steps:
- Generate a new Certificate Signing Request (CSR) on your server. Ensure your server software is configured to use SHA-256 or stronger (SHA-384, SHA-512) as the signature algorithm.
- Submit the CSR to your Certificate Authority (CA) and request a new certificate. Verify that the CA will sign it using SHA-256 or stronger before proceeding.
- Install the new certificate on your server, replacing the existing weak certificate.
- Update your server configuration to use the new certificate and restart the web server or SSL/TLS service.
- Verify the installation using SSL testing tools to confirm the certificate is properly installed and uses a strong signature algorithm.
Most modern Certificate Authorities automatically issue certificates with SHA-256 signatures. If you encounter issues, contact your CA's support team for guidance specific to their issuance process.