For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Danish202_17040's avatar
Danish202_17040
Icon for Nimbostratus rankNimbostratus
Jan 07, 2015

Hash Algorithm upgradation..Want to upgraded SHA1 certificate.

Hash Algorithm upgradation..Want to upgrade SHA1 certificate.

 

Can anyone suggest me 1. Points to consider before SHA1 certificate upgradation . 2. If SSL offloading(SSL termination) is configured on LB then will there be any impact at server end post SHA1 upgradation?

 

2 Replies

  • Chase_Abbott's avatar
    Chase_Abbott
    Icon for Admin rankAdmin
    Jan 07, 2015

    You're updating an existing SHA1 cert to SHA2? Shouldn't be an issue. Scenarios:

     

    1. You're reissuing the certificate and reusing the CSR/Key. A. Export the Key and upload the new cert/key pair B. You probably will receive a new CA Chain. Make sure to upload that as well. The new Entrust SHA2 chain is 3 certs long with the offline root being a SHA1.

       

    2. You're receiving a new PFX file. A. Just import and boom, you're done. It may or may not contain the CA chain but I would recommend uploading the chain separately.

       

    If you're terminating SSL, no issue there either. Termination or bridging, BigIP will support old and new methods for testing. Validate the ciphers being used against your version of BigIP; here's 11.x.

     

  • Vish04_293402's avatar
    Vish04_293402
    Icon for Nimbostratus rankNimbostratus
    May 29, 2017

    For both the points mentioned above there is no special consideration to be kept in mind. Except a minute downtime only if things are all well in place.

     

    The major consideration is only in terms of server certificates, you must ensure the back ends are accepting connection on the certificate now going to be used else it may result in a broken connection.