Windows Server, SHA-2 Compatibility and You

Bletchley Park

Image courtesy of Adam Scott

As of 2010. NIST has recommended that the SHA1 protocol be deprecated. Like most technology the pace of updating and rolling out applications with SHA-2 Compatibility is slow. The current policy statement on hash functions can be found here: Further guidance on the use of SHA-2 is provided in SP 800-57 Part 1, section 5.6.2 and SP 800-131A. Even though it has not been proven broken, it is assumed that it is no longer safe to use. It is the normal progression of technology and science. Computers get faster. Attacks get better. Therefore our defenses must get better. To prepare for SHA1’s obsolescence, NIST held a competition to identify a successor to the SHA2 algorithm that ran from 2007 to 2012. The KECCAK algorithm was selected but is not yet available.

MICROSOFT IIS and lack of SHA2 support

So you would think,that with all that advanced warning that Microsoft would allow you to request certificates via IIS manager that are signed with SHA2 and have a SHA2 fingerprint? Right? Nope. Amazingly there is no SHA-2 compatibility when attempting to sign certificate requests even from the latest version of IIS Manager. furthermore, WindowsXP and Windows Server 2003 do not natively possess the capability to decipher SHA2. In order for these systems to be able to decipher SHA2, a hotfix needs to be installed.

From Microsoft’s PKI Blog

KB 938397
Though support SHA2 is not included in Windows Server 2003 Service Pack 2, it is available for download. KB 938397 will bring Windows Server 2003 to the same level of functionality as Windows XP with Service Pack 3. KB 938397 is not available via Windows Update; it needs to be requested via the “View and request hotfix downloads” link on the support page. Note, KB 938397 is also offered for Windows Server 2003 Service Pack 1.

KB 968730
With the release of Windows Server 2008 it was found that Windows XP Service Pack 3 and Windows Server 2003 Service Pack 2 with KB 938397 were unable to request certificates from a Windows Server 2008 (and 2008 R2) certificate authority (CA) who’s certificate was signed with a SHA2 hash. KB 968730 was release to address this issue. Incidentally, KB 968730 completely supersedes KB 938397; so if a Windows Server 2003 Service Pack 2 system would need to both enroll from a SHA2 certificate authority and process SHA2 certificates, only KB 968730 would need to be installed. As before, KB 968730 is not available via Windows Update; it needs to be requested via the “View and request hotfix downloads” link on the support page. Note, KB 968730 is not offered for Windows Server 2003 Service Pack 1.

A Windows 2003 server will be able to validate a SHA2 signed certificate but not sign anything using SHA2 itself. I’m not going to even mention WinXP. You aren’t using WinXP, are you?

What to do?

In order to work around this issue, I created a Powershell script for my users to approximate the ease of the certificate request GUI from IIS Manager. This is used to create a certificate signing request that can be submitted to a certificate authority; either managed or internal to your organization. Obviously, I would recommend running Windows Server 2012 R2 for best compatibility and fullest range of algorithm support.

 

How it works

The script will need to be edited to reflect your standards for O, OU, City, State and Country.  Common name and friendly name are entered as variables. The script generates a standard server authentication certificate request suitable for your standard webserver.  If you need client authentication, you wil need to add the OID for client authentication.

Subject variables can be found here in the script:

switch ($answer){
1 {“Public selected”;
$OrgUnit = Read-Host “Please enter your Line of Business or Business Unit to be entered as OU in certificate request”
$Locality=”City”
$State=”State”
$Country=”US”
$Organization=”Your Organization”
}
0 {“Internal Selected”
$Locality=”City”
$State=”State”
$Country=”US”
$Organization=”Your organization”
$OrgUnit=”Your org unit”}
}

Put your OID for client authentication here:

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

 

 

The script can be found here.

 

Execute the Script

Open an administrator Powershell prompt and start the script.  The script will ask for friendly name and common name.

powershell_begin

You will be asked if you want to add Subject Alternate Names to your certificate request.  The script allows up to 4 SAN’s.Then you are asked whether you are requesting a public or internally trusted certificate.  Internal to the script, there are two separate text strings to delineate the two distinguished names (Organization, Organizational Unit, City, State, Country).

powershell1

The script will generate an INF and call certreq application.

 

powershell2

You will get a pop-up.

powershell3

 

This popup allows you to set the password on your private key.  It has to conform to your machine’s password policy.

 

powershell4

 

Enter your password.

powershell5

This popup happens as the private key signs the certificate signing request.

powershell6

Congratulations! You’ve generated a SHA256 signed certificate request.  Open the MMC console and add the certificates snap in.  Select ‘My Computer’ and click on the certificate request folder.

powershell7

You’ll be able to see your request and check the properties.

powershell8

Alternatively, you can copy the Base64 encoded CSR and paste it into an online CSR decoder.  The INF file used to create the CSR and the Base64 encoded CSR are in the same folder as the script was run from.

powershell9

 

  Quick Script Overview

When the script is run, it asks the user to answer a number of questions to build an INF file that is passed to the certreq utility. The configurable parts of the INF are the Subject and whether the key is exportable. You must have administrative rights to run this script as it creates a key in the machine’s keystore. The certreq utility is called by the script and given the INF as an input and creates a CSR as the output. The CSR makes a request signed by SHA2 for a RSA 2048 bit certificate. The signing Certificate Authority determines which algorithm the certificate is signed with; SHA1 or SHA256.

 

 

Please let me know if this helped you or your users by leaving a comment or contacting me.

You may also like...

Leave a Reply

%d bloggers like this: