Are SHA-1 client certificates unsupported in W10 Edge/IE11?

Question

I'm aware that SHA-1 server certificates that chain to Root CA certificates within Microsoft's Trusted Programme are unsupported by Edge and IE11 on Windows 10, as of a couple of years ago.

We have an IIS web farm hosting our ASP.NET systems. The server uses a root certificate that, while was generated using SHA-1, is not part of the Trusted Programme and therefore has no problem when being used to connect to it securely; the problem is that some of our applications require smartcard authentication, which as soon as they're prompted to enter the PIN, Edge/IE11 kills the connection.

It's as if Edge/IE11 won't allow the transmission of SHA-1 based certificates.

One strange caveat to this is that if I force IE11 to use only deprecated TLS versions (i.e. TLS 1.0) then it works, in that the smartcard certificate is transmitted and used to authenticate. If I force IE11 to use TLS 1.2 then it fails.

Using certutil I'm able to determine that the smartcard client certificate was generated using SHA-1 and is also signed by the Root CA certificate used on the server.

IE11 works perfectly fine from Windows 7, so I assume the security policy only affects W10 versions.

Did I miss an announcement that this would also affect client certificates? The original announcement made it clear this would not be the case:

How will SHA-1 client authentication certificates be impacted?

The mid-2017 update will not prevent a client using a SHA-1 signed certificate from being used in client authentication.

Answer 1

It does not surprise me that client certificates no longer work that use SHA1. Client certificates is a feature in IIS that really never took off and Microsoft is not spending a lot of time on it anymore. Edge browser accounts for about 5% of the Browser market share and chrome never supported PIV. PIV authentication within a browser has been replaced with newer technology like FIDO U2F and FIDO2. If you have an application that that requires a high level of security, then you should not be using Smart Cards with SHA1 certificates and should be migrating to a newer technology. If you want to keep using the PIV protocol, than I would looking into the Yubikey 5 or PivKey. If you go with the Yubikey 5, then it support PIV and FIDO2 so migration should be easy and will not require a new token. If you don't want to do a lot of coding, the Yubikey also supports Yubikey authentication which you can code for in as little as 5 lines.

PIVKeys cost about $20 each depending on the formfactor. Yubikey 5 starts at $45. FIDO tokens cost about $20.

If you want to keep using PIV then you will need to reissue all your smart cards however, the root certificate should still be good since it is directly trusted by the computer (if in the root certificate store) and therefore the hash version does not matter.

Answer 2

are you sure SHA1 certificates are not supported in IE11?

We have win 2012R2 with IIS(web server certificate is SHA256, TLSv1.2 only). Web page uses users personal certificate for authentication. IE11 with certificates with SHA1 signature alogirthm are working - users can autenticate and work in application. This also works in firefox.

In Edge/chrome it doesnt work, connection is closed.

Maybe you should check this setting - Protecting Against Weak Cryptographic Algorithms: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn375961(v=ws.11)?redirectedfrom=MSDN