Problem

The SHA-1 algorithm has known collisions and is no longer considered a secure hash function. As such, the use of SHA-1 signatures in TLS has been deprecated by the IETF in RFC 9155. Removing SHA-1 support ensures the weaknesses cannot be used by an attacker to impersonate a TLS server.

Recent versions of the Chrome browser followed suit and deprecated support for the SHA-1 signature algorithm. The impact on SecureTransport is that the access to the ST Administration Tool will not be allowed if the tool was configured to use a SHA-1 signed certificate (i.e. the admind certificate).

Resolution

For a permanent solution, update the admind certificate to one signed with a more secure hash algorithm (i.e. SHA-256).

For a temporary workaround, use one of the below options:

Enterprise administrators can set the InsecureHashesInTLSHandshakesEnabled enterprise policy.

This is a temporary policy and will be removed in Chrome 123. Additionally, as this allows an insecure hash function in a critical part of the TLS handshake, enabling this policy does increase the risk of attackers impersonating servers within an enterprise deployment.

Enable the "Allow SHA-1 server signatures in TLS" flag in Chrome: Go to chrome://flags/#use-sha1-server-handshakes and set it to Enabled.

This flag is temporary and will be removed in a future release of Chrome.

Use another browser (like Firefox) or an older version of Chrome.