For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

TomNSCPO8_12229's avatar
TomNSCPO8_12229
Icon for Nimbostratus rankNimbostratus
Oct 05, 2016

updating Iapp from SHA-1 to SHA-256

Hi All, just a quick question. What is best practice or recent success stories on updating a SHA-1 to SHA-256 cert on a profile built by an Iapp. I know turning off strict updates allows you to do ...
application delivery
iapp
LTM
security
sha-256
Shaun_Simmons1's avatar
Shaun_Simmons1
Icon for Altostratus rankAltostratus
Oct 05, 2016

In my experience --

 

My unfiltered thoughts: A cert is a cert no matter how / where it is made.

 

To modify the certificate to SHA-256, you "renew" the certificate and apply for a new SHA-256 certificate with the same CN and SAN's. --or modified / new SAN's

 

OR -- Create a new SSL profile with the SHA256 certificate and apply it to the VS's you want updated.

 

When you receive the new certificate: Paste in the hash to the certificate you renewed.

 

I have updated hundreds of SSL profiles with expired certs, with the same CN and SAN's or modified SAN. When one connects to a VIP, their session has already negotiated. When you apply the new certificate, everyone after the modification will then use the SHA-256.

 

-- Before I left my last job, I tested this with success. --No calls ha!

 

My cheat

 

I use the F5 to create all of my certificates. :) Cuts down on the time to type the commands.. haha!

 

-Just don't convert it to FIPS or you are Skeee Rewwwed! You can export the Certs to whatever server you want.