We have a hosted customer for which we supply a Let’s Encrypt certificate. They are trying to complete PCI certification and one of the failure points is that there is an SHA-1 signed certificate in the chain.
They are reporting:
The following known CA certificates were part of the certificate chain sent by
the remote host, but contain hashes that are considered to be weak. |-Subject
: O=Digital Signature Trust Co./CN=DST Root CA X3 |-Signature Algorithm :
SHA-1 With RSA Encryption |-Valid From : Sep 30 21:12:19 2000 GMT |-Valid To
: Sep 30 14:01:15 2021 GMT
SHA-1 signed certificates that expire after January 1, 2017 are not allowed.
Is there any plan to update the certificate chain?
The subject of the certificate shared in the report is from the Identrust DST Root CA X3. Root certificates are exempt from the SHA1 sunsetting because, in effect, their signatures are not used in the process of making a trust decision:
In short, the signature on a root certificate is not verified as the software trusts the root certificate public key directly. A root certificate is self-signed and is not signed by another entity that has been given authority. The root certificate gets authority through the root certificate program managed by the operating system or browser developer
You should verify that your hosted customer is not including the DST Root CA X3 certificate in the chain of certificates returned from their webserver in the TLS handshake. Sometimes folks will misconfigure their servers to send the end entity (leaf) certificate, the Let's Encrypt intermediate, and the Identrust Root Certificate. This is incorrect - only the end entity and intermediate certificate should be presented by the web server, the root is expected to be on the client machine.
In short: there's no plan to update the Identrust root certificate - we don't control it directly and its usage of SHA1 isn't an issue.