Feb 29, 2024

Removing the R3 signed by R1 Cross Certificate

Why does the Microsoft Certificate Viewer show my TLS Certificate chaining to R1 when it was issued under R3?

When viewing the TLS Certificate hierarchy for sites secured with a GlobalSign TLS Certificate under our Root R3, some users may observe a 4-level certificate chain back to the SHA-1 GlobalSign Root R1.  

This article discusses how this happens, why it’s not a security risk that the TLS Certificate appears to be issued under the SHA-1 GlobalSign Root R1, and how to temporarily resolve the misleading certificate chain displayed by the Microsoft Certificate Viewer.

Background

When a client visits a secure site and initiates the TLS handshake, the site provides a “chain” of Certificates including the website Certificate and any intermediates needed to connect it back to a trusted root.  Every client makes use of a root store – a collection of embedded CA Certificates – which protects the client from visiting sites that have TLS Certificates that are forged or issued by untrusted sources.

If all of the necessary subordinate CA Certificates are not provided to the TLS client, then it cannot make a trust determination and it will not connect securely. To help offset this and avoid connection issues, most browsers cache the intermediate CA Certificates they are provided so they can be re-used in future TLS connections.

GlobalSign created a cross-signed Certificate to help chain its R3 root back to the older R1, which enables clients with just R1 in their Root trust store to trust websites using the newer R3 root.  That’s because some very old clients may not have R3 as a trusted root, and if web site operators have visitors in that category, then they can configure their web server to provide the Cross Certificate during the TLS handshake.  The Cross Certificate is treated like a subordinate CA and is cached for future use.

How browsers validate TLS Certificates and the chain to a Root?

If you’ve visited a site that provided you the cross-signed Certificate, then the Microsoft Certificate viewer will display a chain like this:

 
However, if you were to use Firefox, you would see a chain like this (TLS Certificate, SHA256 – G3 Subordinate CA, Root R3):

 
Why does this happen? Well, for starters, each browser uses its own proprietary logic to create the Certificate Chain.

Some use the shortest chain, some have used the most recently issued Certificates, others have implemented slightly different methods. But when checking the Certificate chain from browser to browser – results will vary.

Is it an issue that the TLS Certificate issued under R3 appears to chain to R1?

Short answer, no.  While SHA-1 is insecure, the signature on a Root Certificate is irrelevant to the trust of Certificates that chain to it.  How, you ask?  Well, normally the signature on a Certificate is important because without that you have no idea who owns and controls the keypair.  However, when it comes to browsers and operating root stores, the public key and identity are securely stored and there is no reliance on SHA-1 for securing the binding of the key pair to the identity.  This permits old Roots to continue to be used because the binding is enforced within the Root store.

Ok, now what?

So, you have a security expert that requires SHA-256 roots because that is their policy (which is debatable for the reasons listed above) and they mandate that your TLS Certificates be issued under a SHA-256 root.

There are a couple of things you can do:

1. You can use Firefox to view the certificate chain which will accurately chain to R3.
2. You can remove the Cross Certificate from your local trust store, which will cause the Microsoft Certificate Viewer will show the proper chain.  The instructions for this are below, but be warned, that as soon as you visit a site that delivers the Cross Certificate, you will revert back to seeing a 4 level hierarchy in the Microsoft Certificate viewer.  

Who keeps giving me this Cross Certificate anyway?

Good question! One way is to use the Qualys SSL site checker which provides the list of Certificates delivered in the TLS handshake.

How to remove the GlobalSign Cross Certificate?

 

Here is a step-by-step process to remove the Cross Certificate, but, once again, please note that it will return when you visit a site that is providing it as part of the TLS handshake.

1. On your computer, open MMC. To do this, press Windows key + R. Then type "MMC” on the box provided and then hit Enter.

   

2. On the MMC, click File at the top left corner of the MMC window, then scroll to Add/remove Snap-ins. This will open the add/remove snap-in console for MMC as shown below.

   

3. From the Available snap-ins window on the left, select Certificate then click the Add button to move it to the selected Snap-ins window on the right. Once this is completed, click OK.
4. On the Certificate Console under Current User, select the Intermediate Certificate Authorities folder. In here you will find the Cross Certificate in question.

   

5. In the Intermediate Certificate Authorities folder, you will need to find the Cross Certificate. This Certificate has the following details: Issued To: GlobalSign, Issued by: GlobalSign Root CA and the Expiration Date: 1/28/2028. Note: You can sort the Certificates easily by clicking on the Expiration Date.

   

6. To confirm if you have the correct Certificate, check the thumbprint of the Certificate. To do this, double click the Certificate in MMC and  under the Details tab, scroll down and you will see the thumbprint listed as 0bbfab97059595e8d1ec48e89eb8657c0e5aae71. You can compare the details found here: https://support.globalsign.com/ca-certificates/root-certificates/globalsign-cross-certificates

   

7. To remove this Cross Certificate, right click and scroll down to select the Delete option. Once the Cross Certificate has been removed you may close out of the Console. Note: If you opt not to save the console settings, a restart is required for the changes to take effect.
8. Now that the Cross Certificate has been removed, you should now see that the GlobalSign issued Certificates chain like the one as shown below.