Forum Discussion

ZacW's avatar
ZacW
Icon for Nimbostratus rankNimbostratus
Feb 06, 2015

SHA2 Certificate Migration

I am currently in the process of migrating all of my managed SSL certificates from a SHA1 to a SHA2 signing algorithm. Based on other discussions, I'm still unclear on how I should be going about doing this. I have successfully renewed a certificate which was previously signed with SHA1 with SHA2. I did not have to create a new key and the import was very successful. However, the owner of our internal PKI brought up a concern because the F5 defaults to SHA1 when creating a CSR even though the signature can be overwritten with SHA2. Their concern is that the key is created differently when requesting SHA1 vs SHA2. I'm not sure if that is truly the case which is why I'm asking for clarification.

 

Should I be creating CSRs through the F5 gui which has a SHA1 signing algorithm as I always have while asking for a SHA2 signing or should I use openssl to create a CSR specifying SHA2?

 

  • ZacW's avatar
    ZacW
    Icon for Nimbostratus rankNimbostratus

    A bit of clarification... I am running 11.2.1. I am only concerned about the key possibly being created in a way that does not fully support the sha2 signing algorithm. The F5 CSRs signing algorithm shows SHA1 when running certutil. However, the PKI (internal or third party) signs with SHA2 and the import works successfully with the correct algorithm. I'm only making sure to cover all bases.

     

    Thanks!

     

  • ZacW's avatar
    ZacW
    Icon for Nimbostratus rankNimbostratus

    I never received a confident answer one way or the other, but I've had no problems with creating the CSR within the GUI and having it singed with SHA-2. There is no difference in the way that the keys are generated from what I can tell. If you run certutil within Windows or examine the CSR attributes you will see a SHA-1 signing algorithm. However, as long as your CA signs with SHA-2 it will update accordingly. The other solution is to create the CSR using openssl, but I haven't deemed that necessary. Make sure you update your certificate chains as well :)

     

  • Their concern is that the key is created differently when requesting SHA1 vs SHA2. I'm not sure if that is truly the case which is why I'm asking for clarification.

     

    i think it (csr's signature algorithm) does not matter as long as ca signs it using sha2.

     

    Are certificate authorities required to obey to the signature algorithm (hashing) specified in the CSR?

     

    http://security.stackexchange.com/questions/67180/are-certificate-authorities-required-to-obey-to-the-signature-algorithm-hashing