My domain is: secure.lexicom.ca
Not sure this is the right category but I couldn’t identify a better one so here goes.
As part of a quarterly PCI “vulnerability” scan, the scanner (“SafeMaker”) raised a “non-compliant” vulnerability complaining about the “O=Digital Signature Trust Co./CN=DST Root CA X3” certificate in the chain. Specifically, their complaint is, “A known CA SSL certificate in the certificate chain has been signed using a weak hashing algorithm.” They claim it’s in compliance with the “sunsetting of SHA1 hashes” but they provide no references on that sunsetting applying to root certificates.
My understanding is that they are raising this complaint in error since they’re complaining about a root certificate, but they have so far ignored the false positive I’ve raised. I haven’t been able to find any definitive policy reference on SHA-1 being allowed for the self-signature on root certificates, though. (Weak Google-fu maybe.)