I've carefully created a free StartSSL / StartCom SSL Certificate based on the SHA256 algorithm for my website:http://cloud.mdk-photo.com
When using this certificate in IIS 7.5 (2008R2) and later 8.5 (2012R2) i constantly get an error message in Chrome (Yellow hinge) saying that my CA Chain is using SHA1
I've deleted ALL SHA1RSA certificates using cert manager and MMC - (root certs and intermediates) - yet the SHA1 CA certs automatically gets added all the time ??
I've also made sure that i've imported SHA256 versions of the StartCom CA Certificates !!
PS:
I've activated the Best practice setup using Nartac IIS Cryto : https://www.nartac.com/Products/IISCrypto
I've noticed that AES256 CBC is therefore active which could cause this SHA1 problem according to this article/thread : https://community.qualys.com/thread/14041
PPS:
according to this discussion on StartCom regarding the SHA1 problem ( https://forum.startcom.org/viewtopic.php?f=15&t=16197&p=22355&hilit=sha1#p22355 ) i simply need to delete CA Certs and import the SHA256 versions - this doesn't help one bit :(
I've hit rock bottom - i don't know what to do anymore
PPPS:
When visiting the HTTPS websites on the LAN i get the Green hinge !?
- Root CA = SHA1
- Intermediate CA = SHA256
- Cert = SHA256
When visiting the HTTPS websites from the WAN i get a yellow hinge
- Root CA = SHA1
- Intermediate = SHA1
- Cert = SHA256
PPPPS:
My setup is as follows:
- Windows 2012 R2 Webserver
>> Reverse Proxy -> Virtualized AeroFS Private Cloud Server (using cloud.mdk-photo.com certificate)
>> Main default website (non https) that has bindings for each reverse proxy, mapping each certificate to the internal server
>> RRAS VPN Role using home.mdk-photo.com certificate (sha1)
- Windows 2008 R2 Domain Controller
- Windows 7 / 10 Clients which are all members of the domain
---------------
I want to have a trusted HTTPS/SSL website with a Green hinge but i'm clueless how to actually achieve that :(
Help me IIS Kenoby - you're my only hope !
