What to do with obsolete abandoned CA certificates that use SHA-1?


Article ID: 168410


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


A ProxySG appliance uses some certificates that use SHA-1 as their hashing algorithm. 
How to update them to avoid issues with the Microsoft deprecation of SHA-1?


Depending on the type of certificate, and how it's used in the ProxySG appliance, there are multiple solutions.

Solution 1: HTTPS Management Console Certificate: How may the expired self-signed SSL certificate used for accessing the HTTPS Management Console be changed?

  1. Generate a new Web Server certificate and import it into a new keyring, per article Change the expired self-signed SSL certificate (keyring) used for SSL Interception on the ProxySG
  2. Replace the SHA-1 keyring with the new one created in step 1: 
    1. Configuration > Services > Management Services >  HTTPS-Console > Edit
    2. Set the keyring to the one that you imported in Keyring.
    3. Click OK, and Apply to save your changes.

Solution 2: HTTPS Interception Certificate: 

  1. Follow the steps in article Create a Certificate Signing Request (CSR) with an SHA-2 cryptographic hash function on the ProxySG to generate a new Certificate Signing Request (CSR).
  2. Follow the steps in Configure SSL interception with Microsoft PKI in an Explicit deployment to take that CSR to the domain's Microsoft PKI server, and have it signed for use as a subordinate CA certificate. The article also includes steps to import that certificate.
  3. Update SSL Interception policy in the VPM to use the new keyring, created in step 2.