- 6 minutes to read
Weak Cryptography Detection
Tags: Weak cryptography, certificate security, algorithm detection, MD5, SHA-1, RSA key length, cryptographic strength, signature algorithm, hash algorithm, security monitoring, deprecated algorithms
Enhanced certificate monitoring automatically detects weak cryptographic algorithms and validates certificate security strength to identify certificates that require replacement due to deprecated algorithms.
:6.4.0.0: Introduced automatic weak cryptography detection for signature algorithms, hash algorithms, and public key lengths.
For configuration options, see Certificate Configuration - Weak Cryptography Detection.
Overview
Weak cryptography detection identifies three categories of security risks:
- Signature Algorithm Security: Detects deprecated signature algorithms (MD5RSA, MD5DSA, SHA-1 variants)
- Hash Algorithm Security: Validates hash algorithms used in certificate fingerprints and signatures
- Public Key Length Assessment: Ensures RSA keys meet minimum security standards (2048+ bits)
Certificates with weak cryptography appear as WARNING resources in Monitor Views with clear indication of the security issue requiring remediation.
Security Assessment States
| State | Icon | Description |
|---|---|---|
| OK | Green | Certificate uses strong cryptographic algorithms (SHA-256+, 2048+ bit RSA, 256+ bit ECDSA) |
| WARNING | Orange | Weak cryptography detected (MD5, SHA-1, or RSA keys < 2048 bits) - replacement required |
| ERROR | Red | Critical security issue (combined with other certificate failures like chain errors) |
Signature Algorithm Detection
The signature algorithm used to sign the certificate is validated against known weak algorithms:
Deprecated Signature Algorithms
| Algorithm | Status | Risk Level | Action Required |
|---|---|---|---|
| MD5RSA | Deprecated | Critical | Replace immediately |
| MD5DSA | Deprecated | Critical | Replace immediately |
| SHA1RSA | Deprecated | High | Replace during next renewal |
| SHA1DSA | Deprecated | High | Replace during next renewal |
| SHA1ECDSA | Deprecated | High | Replace during next renewal |
Secure Signature Algorithms
| Algorithm | Status | Recommended |
|---|---|---|
| SHA256RSA | Secure | ✅ Yes |
| SHA384RSA | Secure | ✅ Yes |
| SHA512RSA | Secure | ✅ Yes |
| SHA256ECDSA | Secure | ✅ Yes (ECDSA preferred) |
| SHA384ECDSA | Secure | ✅ Yes (ECDSA preferred) |
| SHA512ECDSA | Secure | ✅ Yes (ECDSA preferred) |
Example Detection:
Signature Algorithm: MD5RSA
⚠️ WARNING: Weak signature algorithm detected - MD5 is cryptographically broken
Hash Algorithm Detection
The hash algorithm used in certificate fingerprints and internal hashing is validated:
Weak Hash Algorithms
| Algorithm | Status | Risk Level | Action Required |
|---|---|---|---|
| MD5 | Deprecated | Critical | Replace immediately |
| SHA-1 | Deprecated | High | Replace during next renewal |
Secure Hash Algorithms
| Algorithm | Status | Recommended |
|---|---|---|
| SHA-256 | Secure | ✅ Yes |
| SHA-384 | Secure | ✅ Yes |
| SHA-512 | Secure | ✅ Yes |
Example Detection:
Hash Algorithm: SHA1
⚠️ WARNING: Deprecated hash algorithm - SHA-1 no longer considered secure
Public Key Length Assessment
RSA public key lengths are validated to ensure they meet minimum security standards:
RSA Key Length Requirements
| Key Length | Status | Security Level | Action |
|---|---|---|---|
| < 1024 bits | Insecure | Critical | Replace immediately |
| 1024 bits | Weak | High | Replace immediately |
| 1536 bits | Weak | Medium | Replace during renewal |
| 2048 bits | Secure | Standard | ✅ Acceptable |
| 3072 bits | Secure | Enhanced | ✅ Recommended |
| 4096 bits | Secure | Maximum | ✅ Recommended |
ECDSA Key Length Requirements
| Key Length | Curve | Status | Recommended |
|---|---|---|---|
| 256 bits | P-256 | Secure | ✅ Yes |
| 384 bits | P-384 | Secure | ✅ Yes |
| 521 bits | P-521 | Secure | ✅ Yes |
Example Detection - Weak Key:
Public Key Algorithm: RSA
Public Key Length: 1024 bits
⚠️ WARNING: Weak RSA key length - minimum 2048 bits required for security
Example Detection - Secure Key:
Public Key Algorithm: RSA
Public Key Length: 2048 bits
✅ OK: Secure key length meets modern security standards
Certificate Details Display
Weak cryptography information appears in the certificate details page under Cryptographic Information:
Normal Display (Secure Cryptography)
Cryptographic Information
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Signature Algorithm: SHA256RSA
Hash Algorithm: SHA256
Public Key Algorithm: RSA
Public Key Length: 2048 bits
✅ All cryptographic parameters meet security standards
Warning Display (Weak Signature Algorithm)
Cryptographic Information
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Signature Algorithm: MD5RSA
⚠️ WARNING: Weak signature algorithm - MD5 is cryptographically broken
Hash Algorithm: SHA256
Public Key Algorithm: RSA
Public Key Length: 2048 bits
Action Required: Replace this certificate with one using SHA-256 or stronger
Warning Display (Multiple Weaknesses)
Cryptographic Information
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Signature Algorithm: SHA1RSA
⚠️ WARNING: Deprecated signature algorithm - SHA-1 no longer considered secure
Hash Algorithm: SHA1
⚠️ WARNING: Deprecated hash algorithm - SHA-1 must be replaced
Public Key Algorithm: RSA
Public Key Length: 1024 bits
⚠️ WARNING: Weak RSA key length - minimum 2048 bits required
Action Required: Replace this certificate immediately - multiple security issues detected
Certificate details showing MD5RSA signature algorithm and 512-bit RSA public key triggering multiple security warnings.
Certificates with weak cryptography (SHA-1) appearing as WARNING resources in Monitor Views requiring replacement.
Configuration
Control weak cryptography detection behavior:
| Setting | Default | Description |
|---|---|---|
| EnableWeakCryptographyDetection | true |
Enable/disable weak cryptography monitoring |
| TreatWeakCryptographyAsError | false |
Escalate weak cryptography from WARNING to ERROR state |
| MinimumRSAKeyLength | 2048 |
Minimum acceptable RSA key length in bits |
| AllowSHA1Certificates | false |
Temporarily allow SHA-1 certificates (legacy compatibility) |
For detailed configuration, see Certificate Configuration.
Testing Weak Cryptography Detection
Create test certificates to validate weak cryptography detection:
Test Scenario 1: Certificate with MD5 Signature (WARNING)
# Note: Windows no longer allows creating MD5 certificates directly
# Use existing legacy certificate or create via OpenSSL:
# Create private key
openssl genrsa -out md5test.key 2048
# Create certificate with MD5 signature (deprecated)
openssl req -new -x509 -key md5test.key -out md5test.crt -days 365 -md5 -subj "/CN=MD5-Test"
# Convert to PFX and import
openssl pkcs12 -export -out md5test.pfx -inkey md5test.key -in md5test.crt -passout pass:test123
# Import to Windows certificate store
$pwd = ConvertTo-SecureString -String "test123" -Force -AsPlainText
Import-PfxCertificate -FilePath "md5test.pfx" -CertStoreLocation "Cert:\LocalMachine\My" -Password $pwd
# Expected: WARNING state - MD5 signature algorithm detected
Test Scenario 2: Certificate with SHA-1 Hash (WARNING)
# Create certificate with SHA-1 hash (deprecated)
$sha1Cert = New-SelfSignedCertificate `
-Subject "CN=SHA1-Test" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-HashAlgorithm SHA1 `
-KeyLength 2048
# Expected: WARNING state - SHA-1 hash algorithm deprecated
Test Scenario 3: Certificate with Weak RSA Key (WARNING)
# Create certificate with 1024-bit RSA key (weak)
$weakRSACert = New-SelfSignedCertificate `
-Subject "CN=WeakRSA-Test" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyLength 1024
# Expected: WARNING state - RSA key length below 2048 bits
Test Scenario 4: Certificate with Strong Cryptography (OK)
# Create certificate with SHA-256 and 2048-bit RSA key (secure)
$secureCert = New-SelfSignedCertificate `
-Subject "CN=Secure-Test" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-HashAlgorithm SHA256 `
-KeyLength 2048
# Expected: OK state - all cryptographic parameters secure
Test Scenario 5: ECDSA Certificate with Strong Cryptography (OK)
# Create ECDSA certificate with P-256 curve (secure)
$ecdsaCert = New-SelfSignedCertificate `
-Subject "CN=ECDSA-Test" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyAlgorithm ECDSA_nistP256 `
-HashAlgorithm SHA256
# Expected: OK state - ECDSA with SHA-256 meets security standards
For comprehensive testing scripts and additional scenarios, see FAQ: Weak Cryptography Detection.
Security Recommendations
- Replace MD5 Certificates Immediately: MD5 is cryptographically broken and poses severe security risks
- Phase Out SHA-1 Certificates: SHA-1 is deprecated by all major browsers and certificate authorities
- Minimum 2048-bit RSA Keys: Never use RSA keys smaller than 2048 bits in production
- Prefer ECDSA: ECDSA certificates offer equivalent security with shorter keys (256-bit ECDSA ≈ 3072-bit RSA)
- Monitor Continuously: Enable weak cryptography detection on all certificate-bearing servers
- Plan Renewals: Replace weak certificates during next renewal cycle
- Legacy System Exceptions: If legacy systems require weak cryptography, document justification and remediation timeline
Industry Deprecation Timeline
| Algorithm/Key | CA Issuance Stopped | Browser Support Ended | Action Deadline |
|---|---|---|---|
| MD5 | 2005 | 2009 | Replace immediately |
| SHA-1 | 2016 | 2017 | Replace immediately |
| 1024-bit RSA | 2013 | 2016 | Replace immediately |
| SHA-256 | Still supported | Still supported | ✅ Secure |
| 2048-bit RSA | Still supported | Still supported | ✅ Secure |