cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution

Godaddy SSL certificate root uses SHA1 and that FAILED my PCI Check - No Support!

I have an e-commerce site that is secured by a Godaddy SSL cert.  IIS 8.5 running on Windows 2012R2.

 

However, I just FAILED the PCI scan of this site because of the fact that the root certification authority certificate is 14 years old and uses SHA-1. 

 

Here is the PCI vulnerability:

CategoryGeneral
CVECVE-2004-2761 BID : 33065, 11849 Other references { cert : 836068cwe : 310osvdb : 45127, 45106, 45108 }
CVSS base score5.0
DescriptionSSL Certificate Signed Using Weak Hashing Algorithm (Known CA)
Host40.86.80.200
Threat-
ImpactThe remote service uses a known CA certificate in the SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g., MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing the attacker to masquerade as the affected service.<br/><br/>Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm.
SolutionContact the Certificate Authority to have the certificate reissued.
PCI compliantNo
PCI details-
ReasonA known CA SSL certificate in the certificate chain has been signed using a weak hashing algorithm.
PCI detailsmedium
Port443 / tcp / www
Host name-
Host OS-
Result

The following known CA certificates were part of the certificate
chain sent by the remote host, but contain hashes that are considered
to be weak.

|-Subject : C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
|-Signature Algorithm : SHA-1 With RSA Encryption
|-Valid From : Jun 29 17:06:20 2004 GMT
|-Valid To : Jun 29 17:06:20 2034 GMT

 

I contacted Godaddy Support and the person on the line refused to help me and refused to transfer me to a supervisor.  I was directed to redownload the root cert from the repository but it is this same weak compromised worthless root cert.  I was told that GoDaddy refused to give actual support because my server is an Azure VM and was not acquired from Godaddy.

 

It is disconcerting to think that I will have to go buy a cert from an honest provider who will give me a cert chain that actually works and does not leave me non-compliant and at risk of merchant termination. I am dumbfounded that Godaddy was so overtly hostile and vicious to a paying customer with 100+ domains and multiple certs.

 

Can anyone give me help where Godaddy flatly refuses to support its own certs?

1 REPLY 1
Moderator
Moderator
Solution

Re: Godaddy SSL certificate root uses SHA1 and that FAILED my PCI Check - No Support!

I'm really sorry to hear that you had a negative experience with our support teams.  That doesn't sound like a typical situation at all, and I can assure you that if there is an issue with the certificate itself working properly, that is something we would assist you with.  If the actual issue is with the installation of the certificate on a third party server, that does limit what support options we would be able to provide.  

 

I would recommend running the tests listed in the following article to determine what issue is preventing the successful installation: https://uk.godaddy.com/help/test-your-ssls-configuration-6015.  That should give you the information you need to resolve the error.  Thanks.  

 

MPC