-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate SHA256 signed certificates for WinRM #36668
Conversation
Vulnerability scanners are increasingly reporting SHA-1 signed certificates as a vulnerability on servers. Before this change, -ForceNewSSLCert generates a signature algorithm that openssl shows as sha1WthRSAEncryption for WinRM port 5986. After, this forces certificates to be signed with SHA256, which openssl shows sha256WithRSAEncryption. Some example SHA-1 deprecations include: - https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2017/4010323 - https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ Also note that RDP 3389 on Windows 2016 also defaults to a SHA256 certificate. The specifics were merged from a script mod I found at https://gallery.technet.microsoft.com/scriptcenter/PowerShell-script-to-7a0321b7 intended for Exchange. It also includes a mod to add an alternate DNS listing so the cert contains CN=HOSTNAME plus now also an alternative of the FQDN. I tested this change on Windows 2008R2, 2012R2, and 2016 Datacenter.
Sorry for taking so long to review, have just tested this on Server 2008 (non R2 kind) and it works without any issues. rebuild_merge |
Hmm after the latest run in CI it fails on Server 2008. Will need to investigate more before merging in. Potentially the .NET version in AWS is different from the host I had locally. |
Turns out the AWS AMI is running out of space causing the errors. Running this manually works fine for me so I'm just going to merge it in. |
* Generate SHA256 signed certificates Vulnerability scanners are increasingly reporting SHA-1 signed certificates as a vulnerability on servers. Before this change, -ForceNewSSLCert generates a signature algorithm that openssl shows as sha1WthRSAEncryption for WinRM port 5986. After, this forces certificates to be signed with SHA256, which openssl shows sha256WithRSAEncryption. Some example SHA-1 deprecations include: - https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2017/4010323 - https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ Also note that RDP 3389 on Windows 2016 also defaults to a SHA256 certificate. The specifics were merged from a script mod I found at https://gallery.technet.microsoft.com/scriptcenter/PowerShell-script-to-7a0321b7 intended for Exchange. It also includes a mod to add an alternate DNS listing so the cert contains CN=HOSTNAME plus now also an alternative of the FQDN. I tested this change on Windows 2008R2, 2012R2, and 2016 Datacenter. * Keep WinRM cert key length at 4096. * Remove WinRM cert exportpolicy setting.
* Generate SHA256 signed certificates Vulnerability scanners are increasingly reporting SHA-1 signed certificates as a vulnerability on servers. Before this change, -ForceNewSSLCert generates a signature algorithm that openssl shows as sha1WthRSAEncryption for WinRM port 5986. After, this forces certificates to be signed with SHA256, which openssl shows sha256WithRSAEncryption. Some example SHA-1 deprecations include: - https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2017/4010323 - https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ Also note that RDP 3389 on Windows 2016 also defaults to a SHA256 certificate. The specifics were merged from a script mod I found at https://gallery.technet.microsoft.com/scriptcenter/PowerShell-script-to-7a0321b7 intended for Exchange. It also includes a mod to add an alternate DNS listing so the cert contains CN=HOSTNAME plus now also an alternative of the FQDN. I tested this change on Windows 2008R2, 2012R2, and 2016 Datacenter. * Keep WinRM cert key length at 4096. * Remove WinRM cert exportpolicy setting.
* Generate SHA256 signed certificates Vulnerability scanners are increasingly reporting SHA-1 signed certificates as a vulnerability on servers. Before this change, -ForceNewSSLCert generates a signature algorithm that openssl shows as sha1WthRSAEncryption for WinRM port 5986. After, this forces certificates to be signed with SHA256, which openssl shows sha256WithRSAEncryption. Some example SHA-1 deprecations include: - https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2017/4010323 - https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ Also note that RDP 3389 on Windows 2016 also defaults to a SHA256 certificate. The specifics were merged from a script mod I found at https://gallery.technet.microsoft.com/scriptcenter/PowerShell-script-to-7a0321b7 intended for Exchange. It also includes a mod to add an alternate DNS listing so the cert contains CN=HOSTNAME plus now also an alternative of the FQDN. I tested this change on Windows 2008R2, 2012R2, and 2016 Datacenter. * Keep WinRM cert key length at 4096. * Remove WinRM cert exportpolicy setting.
SUMMARY
Vulnerability scanners are increasingly reporting SHA-1 signed certificates as a vulnerability on servers. Before this change, -ForceNewSSLCert generates a signature algorithm that openssl shows as sha1WthRSAEncryption for WinRM port 5986. After, this forces certificates to be signed with SHA256, which openssl shows sha256WithRSAEncryption.
ISSUE TYPE
COMPONENT NAME
examples
ADDITIONAL INFORMATION
Some example SHA-1 deprecations include:
Also note that RDP 3389 on Windows 2016 also defaults to a SHA256 certificate.
The specifics were merged from a script mod I found at https://gallery.technet.microsoft.com/scriptcenter/PowerShell-script-to-7a0321b7 intended for Exchange. It also includes a mod to add an alternate DNS listing so the cert contains CN=HOSTNAME plus now also an alternative of the FQDN.
I tested this change on Windows 2008R2, 2012R2, and 2016 Datacenter.