Are SHA-1 client certificates unsupported in W10 Edge/IE11?

certificate ssl windows-server-2012-r2

I'm aware that SHA-1 server certificates that chain to Root CA certificates within Microsoft's Trusted Programme are unsupported by Edge and IE11 on Windows 10, as of a couple of years ago.

We have an IIS web farm hosting our ASP.NET systems. The server uses a root certificate that, while was generated using SHA-1, is not part of the Trusted Programme and therefore has no problem when being used to connect to it securely; the problem is that some of our applications require smartcard authentication, which as soon as they're prompted to enter the PIN, Edge/IE11 kills the connection.

It's as if Edge/IE11 won't allow the transmission of SHA-1 based certificates.

One strange caveat to this is that if I force IE11 to use only deprecated TLS versions (i.e. TLS 1.0) then it works, in that the smartcard certificate is transmitted and used to authenticate. If I force IE11 to use TLS 1.2 then it fails.

Using certutil I'm able to determine that the smartcard client certificate was generated using SHA-1 and is also signed by the Root CA certificate used on the server.

IE11 works perfectly fine from Windows 7, so I assume the security policy only affects W10 versions.

Did I miss an announcement that this would also affect client certificates? The original announcement made it clear this would not be the case:

How will SHA-1 client authentication certificates be impacted?

The mid-2017 update will not prevent a client using a SHA-1 signed certificate from being used in client authentication.


Solution 1:

It does not surprise me that client certificates no longer work that use SHA1. Client certificates is a feature in IIS that really never took off and Microsoft is not spending a lot of time on it anymore. Edge browser accounts for about 5% of the Browser market share and chrome never supported PIV. PIV authentication within a browser has been replaced with newer technology like FIDO U2F and FIDO2. If you have an application that that requires a high level of security, then you should not be using Smart Cards with SHA1 certificates and should be migrating to a newer technology. If you want to keep using the PIV protocol, than I would looking into the Yubikey 5 or PivKey. If you go with the Yubikey 5, then it support PIV and FIDO2 so migration should be easy and will not require a new token. If you don't want to do a lot of coding, the Yubikey also supports Yubikey authentication which you can code for in as little as 5 lines.

PIVKeys cost about $20 each depending on the formfactor. Yubikey 5 starts at $45. FIDO tokens cost about $20.

If you want to keep using PIV then you will need to reissue all your smart cards however, the root certificate should still be good since it is directly trusted by the computer (if in the root certificate store) and therefore the hash version does not matter.

Related

could not launch vCenter vSphere client
How to increase speed of RAID 5 with mdadm + luks + lvm
How to create conditional behaviour with pam_exec and PAM_TYPE?
AWS Organizations - How to globally set boundaries to allow assess only to predefined set of services?
Modelling or modeling? [duplicate]
What is the meaning of "less a function of" in the following sentence
What is the origin of the phrase "do a line with someone"?
The meaning and usage of "logo schmogo" [duplicate]
Improper placement of a comma
What does it mean "It’s raining men"? [closed]
Use of "will" in a past tense sentence
Someone/Something uses a lots of space (maybe more than really needed), what is this phenomenon called?