cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution
Highlighted

Godaddy SSL Root CA SHA 1 signature

We are failing a security scan using a Newly generated Godaddy Certificate that has the Godaddy Root CA with a SHA 1 signed certificate. These are for non-UCC Standard certificates. However, we have other certificates that are UCC and they also have this GoDaddy SHA1 root CA in the certificate chain. However, we also have non-UCC and UCC certs that only have the root as GoDaddy G2 CA in the chain. 

 

I contacted support and they were less than helpful, and I hope they get replaced because this was actually an easy fix and it exposes a problem with-in GoDaddy's certificate signing policies. I was able to reproduce the issue and obtain a brand new signed certificate and it still had the GoDaddy SHA 1 CA certificate and not the G2 as the root. So the GoDaddy policy is still broken as of today. 

Here is the fix and the root cause: GoDaddy has a Root CA that uses SHA 1 and they have the G2 as the Root CA. At some point GoDaddy specificed that newly issued certificates will only come from the G2 Root CA; however this is not always true. If you have a renewed certificate that is older than when GoDaddy made this policy change, if you don't specify to use the GoDaddy SHA-2 authority (and Click Save) when it is renewed then it will continue to be signed by the old GoDaddy SHA 1 Root CA. So the fix is to re-key your certificates and specifically choose either the GoDaddy SHA-2 option (and Click Save) or the Starfield SHA-2. Then it will apply the new issuance policy to a renewed certificate.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Resolver III
Solution

Re: Godaddy SSL Root CA SHA 1 signature

I absolutely do appreciate your security concern. Replacement of SHA1 has been advocated for quite some time, especially for certificates. The reason being that certificates are valid for a long period of time and it puts it in reach of moderately skilled and funded attackers.

 

However, forcing a change from SHA1 to SHA2 may break some systems - especially if we talk about embedded IT products with limited security capabilities. It's correct to say that SHA1 certificates will not be valid in all main web browsers, though.

 

I like your fix - pay attention to the detail and check the CA where the certificate will be sent. I imagine it may still lead to occasional mistakes.

 

I'm not privy to the details of the certificate policy but these are usually linked to particular CAs. So the question is possibly more towards the guidance and clarity during the issuance process.

 

Dan

 

———

I've worked around (not only) SSL security for over 20 years in enterprises and startups. 

I am now running an HTTPS expiry management service KeyChest.net

View solution in original post

1 REPLY 1
Highlighted
Resolver III
Solution

Re: Godaddy SSL Root CA SHA 1 signature

I absolutely do appreciate your security concern. Replacement of SHA1 has been advocated for quite some time, especially for certificates. The reason being that certificates are valid for a long period of time and it puts it in reach of moderately skilled and funded attackers.

 

However, forcing a change from SHA1 to SHA2 may break some systems - especially if we talk about embedded IT products with limited security capabilities. It's correct to say that SHA1 certificates will not be valid in all main web browsers, though.

 

I like your fix - pay attention to the detail and check the CA where the certificate will be sent. I imagine it may still lead to occasional mistakes.

 

I'm not privy to the details of the certificate policy but these are usually linked to particular CAs. So the question is possibly more towards the guidance and clarity during the issuance process.

 

Dan

 

———

I've worked around (not only) SSL security for over 20 years in enterprises and startups. 

I am now running an HTTPS expiry management service KeyChest.net

View solution in original post