Info regarding vulnerability notices for ‘SSL Certificate Signed Using SHA-1 Algorithm’

Starting last week we saw a new vulnerability notice for ‘SSL Certificate Signed Using SHA-1 Algorithm’.  The entire college is getting hit by this one A LOT.  After doing some investigation into this it turns out that most, if not all, Windows machines with remote desktop services turned on will be generating this notice because of the SHA-1 certificates in use by Microsoft and UFAD.

From what I can tell there is nothing that we can do for this particular vulnerability notice until Microsoft releases new SHA-2 certificates and patches their products.  As such, I reached out to Information Security & Compliance for guidance. They have stated that they will try to create an exception for RDP/SHA-1 certificate discovery.

Hopefully an exception will be possible and it will lessen the noise we see from this particular notice.

The intent of this notice is to make us aware of website SSL certificates that we can upgrade to SHA-2 encryption.  If you do find something that has a SHA-1 SSL certificate generate a new CSR and send the request to certificates@eng.ufl.edu so we can generate a new certificate for you.  Please follow the directions listed at:

https://connect.ufl.edu/eng/admin/eng-net-mgrs/Wiki/SSL%20Certificate%20Requests.aspx (no longer valid)