I know PCI compliance has been discussed before, and it’s not really the job of the certificate provider, but I thought this the best place to raise this issue (and it’s a bit more specific than previous discussions).
I’ve just had a customer trying to get through the automated PCI compliance scans. At first I was required to disable TLSv1 and a few ciphers (even though ssllabs already reported A grade), but no issues there.
However, I’m now faced with the following -
"The remote service uses a known CA certificate in the SSL certificate chain that has been signed using a cryptographically weak hashing algorithm. Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google’s gradual
sunsetting of the SHA-1 cryptographic hash algorithm.
The following known CA certificates were part of the certificate
chain sent by the remote host, but contain hashes that are considered
to be weak."
Now first of all, I’m fairly certain, by looking at the fullchain.pem file, that “the remote host” is not sending the root CA certificate. They also mention being “in accordance with Google’s sunsetting of SHA-1”, yet even though this started at least 4 years ago, Google are clearly perfectly happy to still mark these certificates as “Secure”.
So are they being incorrect here and rejecting a certificate which should be perfectly valid?
Of course this does mean that as it stands, it’s impossible for an LE certificate to be used on any site where you may need PCI compliance, as they will reject the root CA…