A Hundred Domains and SHA-1 Depreciation

Wed, 17 Sep 2014 16:27:17 -0400

Apparently I’ve been living under a rock for a while, because I didn’t know that SHA-1 was being phased out in the immediate future. Thank you, GoDaddy, for notifying me with a month and change to spare. As it turns out, Google will no longer be trusting certain SHA-1 signed SSL certificates with the release of Chrome 39, which is set for November. For details, see the following links.

Gradually Sunsetting SHA-1 (Google)
SHA1 Deprecation Policy (Microsoft)
Phasing out Certificates with 1024-bit RSA Keys (Mozilla)

Due to the fact that our clients often purchase their own SSL certificates, we have no internal records to check what algorithm was used to sign the certificates in use. So now we get to audit slightly over 100 domains to check and see what signature algorithm is in use. We could browse to each domain manually and take a look at their certificate but that would just take way too long. There were some web based tools around that could do it, but they also only worked on one site at a time.

So, instead, I looked to PowerShell to see what could be done… Unfortunately, there was no native cmdlet to do anything like this! I did find a module that had a lot of great PKI-related functionality, the Public Key Infrastructure PowerShell module, but it, too, didn’t have the much-needed signature algorithm. However, it did provide a very robust base on which to build. Below is the solution I came up with.

function get-SSLSigningAlgorithm {
[CmdletBinding()]
param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)]
[string]$URL,
[Parameter(Position = 1)]
[ValidateRange(1,65535)]
[int]$Port = 443,
[Parameter(Position = 2)]
[Net.WebProxy]$Proxy,
[Parameter(Position = 3)]
[int]$Timeout = 15000,
[switch]$UseUserContext
)
$ConnectString = "https://$url`:$port"
$WebRequest = [Net.WebRequest]::Create($ConnectString)
$WebRequest.Proxy = $Proxy
$WebRequest.Credentials = $null
$WebRequest.Timeout = $Timeout
$WebRequest.AllowAutoRedirect = $true
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
try {$Response = $WebRequest.GetResponse()}
catch {}
if ($WebRequest.ServicePoint.Certificate -ne $null) {
$Cert = [Security.Cryptography.X509Certificates.X509Certificate2]$WebRequest.ServicePoint.Certificate.Handle
write-host $Cert.SignatureAlgorithm.FriendlyName;
} else {
Write-Error $Error[0]
}
}

I’ll create a CSV of the domains that I need to check, and iterate over them in a for-each loop. That function will be used within the loop to check the sites, and the output will go into another CSV. We’ll use that to plan our re-keying.

SSL | The End of the Tunnel

A Hundred Domains and SHA-1 Depreciation