Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: SHA2 Self Signed Cert

18 Aug 2016   #1
bfrisan

windows 7
 
 
SHA2 Self Signed Cert

Our Nessus vulnerability scanner has been flagging our computers with the following vulnerability: SSL Certificate Signed Using Weak Hashing Algorithm

Basically what it's telling us is that we need to upgrade the local Remote Desktop Certificate from SHA1 to SHA2.

These certificates are self-signed and self-generated by the local machine. If you look at the certificate you'll see that theIssued to: and Issued by: fields show the name of the local machine.

The question is: how do these auto-generated, self-signed certificates, which are currently SHA1, get upgraded to SHA2? Remember, these are not created by the local Enterprise CA, they're auto-generated by the local machine itself for Microsoft-branded software such as AD and RDC.

Looking for ideas/suggestions on how to do this.




Attached Thumbnails
SHA2 Self Signed Cert-923226.png  
My System SpecsSystem Spec
.
19 Aug 2016   #2
Alejandro85

Windows 7 Ultimate x64
 
 

You have a worse problem that your scanner isn't telling (or it is?): You're using the default self-signed certificate! That's your real problem.

The default self generated certificate is only meant to provide support for the protocol, but doesn't actually gives you any kind of security, because just anyone can replicate it with zero effort. It doesn't gives you authentication.

Using another self-signed certificate isn't going to give any extra security, it would only silence the scanner without achieving anything useful. What you really need it a serious certificate issued by someone you trust. You mention a "local enterprise CA", if you have it, by all means, use it! Issue certificates from it to all machines, so you get some security, and while doing so, then listen to that scanner and make sure that the certs are signed with SHA256.
Now to install the certificate itself and make Windows use it, there are many tutorials out there. One of such is this one: Replacing the default (self signed) certificate on a RD Session Host server Adrian Costea's blog

Another question would be, do you even use remote desktop for connecting into those hosts? If not, why bother? Just leave them as they are, as you won't use a "vulnerable" service at all.

BTW, at this point, the attacks on SHA1 are mostly theoretical, requiring great hardware to be successful, not something possible to the average hacker but within the capabilities of governments for example. While it's a good idea to no longer issue certs using SHA1, I wouldn't desperately rush to replace all of them, specially on an intranet.
My System SpecsSystem Spec
23 Aug 2016   #3
bfrisan

windows 7
 
 

Thanks for your response but we still need to know how to create auto generated self signed SHA2 certs.
My System SpecsSystem Spec
.

23 Aug 2016   #4
Alejandro85

Windows 7 Ultimate x64
 
 

Why do you "still need it"? A self signed certificate is totally useless for any security purpose (other than toying/testing). Be sure to not to fall victim of the placebo effect of a green icon of an analysis tool without understanding its real meaning.

That said, Windows will never create anything other than a SHA1 signature certificate by itself. You need another software to produce it. OpenSSL is widely known to handle it, although it's command line only. I personally like xca as a GUI alternative for those chores.

Just be sure to understand that you're NOT adding any security at all by that change alone.
My System SpecsSystem Spec
Reply

 SHA2 Self Signed Cert




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
As sites move to SHA2 encryption, millions face HTTPS lock-out
As sites move to SHA2 encryption, millions face HTTPS lock-out | ZDNet
News
Windows 7 Cert.
I'm currently in 60-780 Operating Systems class and we will be taking the Windows 7 Cert this October. Is there any advice to prepare myself for it other than study? Any links to something I should check out would be helpful. I'm new here so thanks for the help guys!
General Discussion
MTA Cert Just For Show?
So my class is taking the MTA exam (Operating System Fundamentals Exam 98-349) next week and I was just wondering is it pretty much just a resume filler? Does it count towards MCTS or do I need to do different certs for that one? Also, is there any study guide for MTA? I'm pretty confident I...
Chillout Room


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:48.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App