What is the threat to a PKI when the root CA certificate is generated using SHA1?

Question

We have thousands of servers that have been issued certificates signed by our CA using SHA256 but the our root CAs own certificate was generated using SHA1. Assuming SHA1 is no longer secure for our purposes what exactly is the threat to our infrastructure if our root CA certificate was signed using SHA1?

Answer 1

None.

You don't trust the Root CA certificate because it was signed by anything - you trust the Root CA because you (or someone on your behalf) placed it in your trust anchor store.

A Root CA certificate has a signature simply because it is mandatory within the X509 specification - it serves no other purpose.

Technically, the trust anchor doesn't have to be a certificate, but most (all?) operating systems have taken the decision to use the X509 certificate format to store the trust anchor - there are others defined (RFC 5914) that don't have a signature, but as far as I'm aware, they are not used.

SHA1 deprecation has been in the limelight lately. If your subordinate CA certificates or your end-entity certificates are signed by SHA1, browsers will complain. However, if you sign your Root CA certificate with MD5 or MD4 (or even something earlier if you can find the tools to do so) then everything will still work.

If you take a look at Google, Facebook, Microsoft (and no doubt many more) you'll find that they still have SHA-1 signed Root CA certificates.

Answer 2

The signature of a message is applied over its hashed value. If it is computationally hard to generate a collision for a given hash function, it offers the same level of attestation and it generates a constant size digest that is way shorter than most signed documents.

However, if a way to generate collisions is discovered for SHA-1, it would be theoretically possible to generate a rogue certificate that produces the same hash value and, as a result, is verified by the same signature.

As a practical remark, I would expect two kinds of implications: the technical one, where attackers would create rogue certificates to impersonate other entities, and a legal one. If the binding property of a certificate is questioned, the legal binding of any digital signature produced with the certified key can be plausibly denied.