Forum Discussion
SHA2 Certificate Migration
I am currently in the process of migrating all of my managed SSL certificates from a SHA1 to a SHA2 signing algorithm. Based on other discussions, I'm still unclear on how I should be going about doing this. I have successfully renewed a certificate which was previously signed with SHA1 with SHA2. I did not have to create a new key and the import was very successful. However, the owner of our internal PKI brought up a concern because the F5 defaults to SHA1 when creating a CSR even though the signature can be overwritten with SHA2. Their concern is that the key is created differently when requesting SHA1 vs SHA2. I'm not sure if that is truly the case which is why I'm asking for clarification.
Should I be creating CSRs through the F5 gui which has a SHA1 signing algorithm as I always have while asking for a SHA2 signing or should I use openssl to create a CSR specifying SHA2?
- swo0sh_gt_13163Altostratus
I think we can generate a CSR from F5 CLI using OpenSSL tool for SHA2. I recently did the same using the following command to generate the SHA2 CSR.
openssl req -out /var/tmp/Test1.csr -key /var/tmp/Test.key -new -sha256
Source article:
http://itigloo.com/security/generate-an-openssl-certificate-request-with-sha-256-signature/
I hope this would help.
Cheers! Darshan
- nitassEmployee
Their concern is that the key is created differently when requesting SHA1 vs SHA2. I'm not sure if that is truly the case which is why I'm asking for clarification.
i think it (csr's signature algorithm) does not matter as long as ca signs it using sha2.
Are certificate authorities required to obey to the signature algorithm (hashing) specified in the CSR?
- MichaelJordan_1Nimbostratus
Thanks ZacW
- ZacWNimbostratus
I never received a confident answer one way or the other, but I've had no problems with creating the CSR within the GUI and having it singed with SHA-2. There is no difference in the way that the keys are generated from what I can tell. If you run certutil within Windows or examine the CSR attributes you will see a SHA-1 signing algorithm. However, as long as your CA signs with SHA-2 it will update accordingly. The other solution is to create the CSR using openssl, but I haven't deemed that necessary. Make sure you update your certificate chains as well :)
- MichaelJordan_1Nimbostratus
Hi Same situation here and I really want to hear any suggestion.
- ZacWNimbostratus
A bit of clarification... I am running 11.2.1. I am only concerned about the key possibly being created in a way that does not fully support the sha2 signing algorithm. The F5 CSRs signing algorithm shows SHA1 when running certutil. However, the PKI (internal or third party) signs with SHA2 and the import works successfully with the correct algorithm. I'm only making sure to cover all bases.
Thanks!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com