“My certificate provider recently switched to only providing SHA2/SHA256 certificates because SHA-1 certificates are no longer safe. But Azure only supports SHA1 certificates! https://msdn.microsoft.com/library/azure/gg465718.aspx says ‘The only thumbprint algorithm currently supported is sha1’”.
Lately I have been seeing this issue more often due to some larger cert providers recently making this change. The entire industry has been deprecating SHA-1 certificates for a while and Chrome has recently started showing warnings in the browser. Some references:
- https://www.digicert.com/sha-2-ssl-certificates.htm
- https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AD927&actp=LIST&viewlocale=en_US
- http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
- http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
- etc…
Signing algorithm vs. Thumbprint algorithm
The issue stems from confusion between the two types of algorithms used by certificates.
- Signing algorithm. This is the algorithm used to actually sign the certificate and this is what makes the certificate secure (or in the case of SHA-1, less secure). The signing algorithm and resulting signature is specified by the certificate authority when it creates the cert and is built into the cert itself. This algorithm is where SHA1 is being deprecated. Azure doesn't know or care what this algorithm is.
- Thumbprint algorithm. This algorithm is used to generate a thumbprint in order to uniquely identify and find a certificate. This algorithm and value is not built into the certificate but is instead calculated whenever a cert lookup is done. Multiple thumbprints can be generated using different algorithms all from the same certificate data. The thumbprint has nothing to do with certificate security since it is just used to identify/find the cert within the cert store. Windows, .NET, and Azure all use SHA1 algorithm for the thumbprint algorithm, and SHA1 is the only algorithm allowed in the ServiceConfiguration.cscfg file:
<Certificates>
<Certificate name="Certificate1" thumbprint="69BF333452DAA85E462E33B138F3B65842C8B428" thumbprintAlgorithm="sha1" />
< /Certificates>
Solution
You can use your SHA2/SHA256 signed certificate in Azure, you just have to specify an SHA1 thumbprint. Your certificate provider should be able to provide you with an SHA1 thumbprint, but it is relatively straightforward to find or calculate the SHA1 thumbprint on your own. Here are a few options:
- The easiest option is to simply open the certificate in the Certificate Manager on any Windows OS. Windows will display the SHA1 thumbprint in the certificate properties window.
- On a Windows OS you can run ‘certutil –store my’ (replace my with whatever store your cert is in).
- In Powershell you can call System.Security.Cryptography.SHA1CNG.ComputeHash per http://ig2600.blogspot.com/2010/01/how-do-you-thumbprint-certificate.html
- There are a few other options including .NET code, openssl, and Apache Commons Codec at http://stackoverflow.com/questions/1270703/how-to-retrieve-compute-an-x509-certificates-thumbprint-in-java.
Thank you to Morgan Simonsen for his excellent blog post Understanding X.509 digital certificate thumbprints which details the different certificate algorithms.