SHA-1 deprecation and Symantec Endpoint Protection

book

Article ID: 150508

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

In 2015, Microsoft began the process of deprecating support for SHA-1 certificates.  This process should be completed in February 2017.  The following information covers how Symantec Endpoint Protection (SEP), Symantec Endpoint Protection Manager (SEPM), and LiveUpdate Administrator (LUA) will be impacted by these changes.  

Q1 : Does SEP, SEPM, or LUA utilize SHA-1 SSL certificates? 
•    SEPM Answer: No. Starting with 12.1-RU6, the default self-signed server certificate being used for SSL is signed using the SHA-256 hash function.
o    Note: This is not upgraded on migration. Only 12.1 RU6 fresh installs will use a SHA-2 certificate by default. A new certificate can be generated manually if the SEPM was upgraded from an older version.  See the following KB, Generating a new server certificate.  
•    SEP Answer: Yes, SEP will move to SHA-2 when Microsoft no longer honors SHA-1 signatures.
•    LUA Answer: LUA uses SHA-2 certificates starting with 2.3.5.
 
Q2 : Does Symantec Endpoint Protection support SHA-2 certificates?  
•    SEPM Answer: Already supported. 
•    SEP Answer: SEP will make the move to SHA-2 when Microsoft no longer honors SHA-1 signatures.
•    LUA Answer: Already supported. 
 
Q3 : Are SHA-1 authenticode signatures in use by the SEP client?
•    SEP Answer: Yes, SEP still uses SHA-1 signatures for the SEP client. The SEP client uses authenticode signatures which are unrelated to the SHA-1 deprecation plan announced by Microsoft and will have no impact on existing client installations. That said, Symantec is independently evaluating the move to SHA-2 for SEP client authenticode signatures in a future release.
 
Q4 : If I do nothing in regards to this update, what happens with each product?
•    SEPM Answer: Nothing.  (Unless using a 3rd party certificate, see below.)  
•    SEP Answer: Nothing.
•    LUA Answer: Nothing.
 
Q5 : Can I continue to use an old SHA1 SEPM certificate or do I need to upgrade to SHA2?
•    SEPM Answer:  By default, the SEPM utilizes a self-signed certificate.  If the SEPM is utilizing a SHA-1 self-signed certificate, you can continue using this certificate until expiration.  You can also generate a new certificate using the previously linked steps.  

If the self-signed certificate was replaced with a 3rd party certificate that utilizes SHA-1, you will need to replace this certificate with a SHA-2 certificate to ensure client communication works over https after February 2017.  

For more information, please see the following Microsoft Technet article: Windows Enforcement of SHA1 Certificates