Forum Discussion
TomNSCPO8_12229
Nimbostratus
Nimbostratusupdating Iapp from SHA-1 to SHA-256
Hi All, just a quick question. What is best practice or recent success stories on updating a SHA-1 to SHA-256 cert on a profile built by an Iapp. I know turning off strict updates allows you to do it but, can you just update the profile? I did not do a renew on the cert through the CA ( a coworker bought it as it was new).
Thanks
Shaun_Simmons1Altostratus
In my experience --
My unfiltered thoughts: A cert is a cert no matter how / where it is made.
To modify the certificate to SHA-256, you "renew" the certificate and apply for a new SHA-256 certificate with the same CN and SAN's. --or modified / new SAN's
OR -- Create a new SSL profile with the SHA256 certificate and apply it to the VS's you want updated.
When you receive the new certificate: Paste in the hash to the certificate you renewed.
I have updated hundreds of SSL profiles with expired certs, with the same CN and SAN's or modified SAN. When one connects to a VIP, their session has already negotiated. When you apply the new certificate, everyone after the modification will then use the SHA-256.
-- Before I left my last job, I tested this with success. --No calls ha!
My cheat
I use the F5 to create all of my certificates. :) Cuts down on the time to type the commands.. haha!
-Just don't convert it to FIPS or you are Skeee Rewwwed! You can export the Certs to whatever server you want.