Please provide a screenshot of your CA certificate (not the root certificate) as an evidence to verify that it uses SHA-2 encryption algorithm


#1

Hi,

I am trying to get my website PCI compliant however the scan keeps failing.

They are asking me to provide a screenshot of your CA certificate (not the root certificate) as an evidence to verify that it uses SHA-2 encryption algorithm.

Can someone tell me how to get that ?

Thank you


#2

Hi,

I guess you are referring to the Intermediate CA certificate, since you explicitly stated not root certificate.

In this case, here are the screenshot of the intermediate certificate (that signed by DTS)

Certificate cross-signed by DTS:

Certificate signed by ISRG:

You could get these information by downloading the certificate (pem / crt file), run it using OpenSSL x509 or open it directly with Windows (show certificate).

Thank you


#3

Can you give the site name?
It would be easy to get the cert (and chain) from that.
Or to see what is failing…
Perhaps you site is NOT providing the complete chain?


#4

It doesn’t seem like a screenshot provides very meaningful proof of anything here. After all, the screenshot doesn’t prove that your site is properly configured (since anyone could just send in a screenshot of the configuration of someone else’s site!).

If the problem is just the SHA-1 self-signed DST root certificate, this is a misinterpretation of the PCI rules, as discussed in these two previous threads:


(As @cpu explained in the earlier thread, “Root certificates are exempt from the SHA1 sunsetting because, in effect, their signatures are not used in the process of making a trust decision […]”.)

If you have some other SHA-1 certificate in your chain, that’s probably a misconfiguration of your server, which we can’t diagnose without knowing your domain name.


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.