What to do with obsolete abandoned CA certificates that use SHA-1?

book

Article ID: 168410

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

A ProxySG appliance uses some certificates that use SHA-1 as their hashing algorithm. 
How to update them to avoid issues with the Microsoft deprecation of SHA-1?
 

Resolution

Depending on the type of certificate, and how it's used in the ProxySG appliance, there are multiple solutions.

Solution 1: HTTPS Management Console Certificate: How may the expired self-signed SSL certificate used for accessing the HTTPS Management Console be changed?

  1. Generate a new Web Server certificate and import it into a new keyring, per article Change the expired self-signed SSL certificate (keyring) used for SSL Interception on the ProxySG
  2. Replace the SHA-1 keyring with the new one created in step 1: 
    1. Configuration > Services > Management Services >  HTTPS-Console > Edit
    2. Set the keyring to the one that you imported in Keyring.
    3. Click OK, and Apply to save your changes.

‚ÄčSolution 2: HTTPS Interception Certificate: 

  1. Follow the steps in article Create a Certificate Signing Request (CSR) with an SHA-2 cryptographic hash function on the ProxySG to generate a new Certificate Signing Request (CSR).
  2. Follow the steps in Configure SSL interception with Microsoft PKI in an Explicit deployment to take that CSR to the domain's Microsoft PKI server, and have it signed for use as a subordinate CA certificate. The article also includes steps to import that certificate.
  3. Update SSL Interception policy in the VPM to use the new keyring, created in step 2.