picture of tbs certificates
picture of tbs certificates
Our products range

SHA1 Root Certificates - the case of servers returning the root certificate

With the SHA1 depreciation, SHA1 root certificate were to be considered. Root Certificate signatures, contrary to intermediate and final certificates, aren't checked, their integrity being assured by browser and operating systems's audit procedures. It is therefore perfectly safe to keep using them for compatibility reasons.

However, this creates an interesting case: servers returning the root certificate. This behavior is non-optimal as it increases SSL/TLS exchange sizes and it should generally be avoided. Nonetheless, some servers have this behavior. In this case, the root certificate is then automatically checked by the browser.

This creates a problem when the certificate is signed using SHA1. The browser will generate a warning, even though this certificate is in its trusted root store.

That's why, it is preferable to order a certificate signed by a SHA2 root.

Non-exhaustive list of servers returning the root.

Here is a non exhaustive list of servers returning the root, for which it is necessary to order a certificate with a full-SHA2 certification chain, including the root.
  • Blue Coat
  • Cegid Web Access Server
  • Checkpoint VNP
  • Cisco ASA
  • Citrix Access Gateway
  • Citrix Secure Gateway
  • Citrix Netscaler
  • Domino
  • HAProxy/Aloha
  • Zimbra

Useful links