-
Notifications
You must be signed in to change notification settings - Fork 318
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Golden Certificate - Unsupported Algorithm - SHA1 #214
Comments
Hello! I'm not a maintainer or anything for this project, but I had the same error as you do and I figured out how to fix it. You need to manually edit the Originally it's cert = cert.sign(ca_key, signature_hash_algorithm()) Change it to from cryptography.hazmat.primitives.hashes import SHA256
cert = cert.sign(ca_key, SHA256()) Once that's done, it should work fine for you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I have been trying to exploit the attack known as “Golden Certificate” using Certipy and have experienced some errors specific to this scenario. The CA is located on a fairly old Windows machine (I think it is Windows Server 2003 if I am not mistaken). The first step, the backup of the CA's private key and certificate, is successful. However, when I try to forge a certificate for a user (in this case, the Domain Administrator), an error occurs related to the creation of the certificate. Apparently SHA-1 is used, and I believe that this algorithm is completely deprecated and that is where the failure is.
I do not know much about certificates, so I do not know very well if you can implement an end to generate certificates using this algorithm, or you can edit the PFX of the CA, or something. It is a very particular scenario, I had never encountered a CA in such an old computer, so I report this bug so that if someone has the same thing, have a place to give more detail.
Greetings and thank you very much for the fantastic tool. Hopefully this can be solved.
The text was updated successfully, but these errors were encountered: