How to update the SCSP Self-signed certificate to enforce SHA1 hashing.
search cancel

How to update the SCSP Self-signed certificate to enforce SHA1 hashing.


Article ID: 181359


Updated On:


Critical System Protection





SCSP has been using the SHA1 hashing algorithm since version 5.2.4. Any installation made since that version is therefore secure. However, if a manager has been upgraded from an earlier version such as 5.0.x or 5.1.x, it will retain the original certificates. This can be verified by checking the signing algorithm according to HOWTO59835. In that case, the following unsupported procedure can be used to generate new SHA1 compliant certificates.

Required Resources:
"openssl.exe", Certificate tool, found in: C:\Program Files (x86)\Symantec\Critical System Protection\Server\tools
"keytool.exe", Keystore and cert tool, found in: C:\Program Files (x86)\Symantec\Critical System Protection\server\jre\bin
"agent-cert.ssl" and "server-cert.ssl", SCSP Certificate/Keystores found in: C:\Program Files (x86)\Symantec\Critical System Protection\server
"server.xml", SCSP Certificate Configuration file found in: "C:\Program Files (x86)\Symantec\Critical System Protection\server\tomcat\conf"
"keystorepass", Keystore password found in: server.xml


  1. Back up old certs to "agent-cert.ssl.ori" and "server-cert.ssl.ori".
  2. Run Keytool to generate a new Keystore and certificate:
    1. command: "keytool -genkey -alias sss -keyalg RSA -keystore server-cert.ssl -validity 5000 -keysize 2048"
    2. When prompted, enter KeystorePass password from server.xml or create a new strong password.
    3. First and last name: SCSP_Management_Server.
    4. OU: <server_hostname>.
    5. Other details optional.
  3. Run Keytool to generate Certificate Signing Request file.
    • command: "keytool -certreq -alias sss -keystore server-cert.ssl -file fim.csr"
  4. Run Keytool to export new certificate from new keystore
    • command: "keytool -export -alias sss -keystore server-cert.ssl -file exp.crt"
  5. Run keytool to generate new agent cert from certificate:
    • command: "keytool.exe -export -Alias sss -rfc -keystore server-cert.ssl -file agent-cert.ssl "
  6. Copy new "agent-cert.ssl" and "server-cert.ssl" to "C:\Program Files (x86)\Symantec\Critical System Protection\server".
  7. Stop SCSP Management Server service
  8. Only if new a new keystore password was used in step 2b, edit server.xml and replace keystorepass with new version (appears 3 separate times in the file)
  9. Restart management server service
  10. Log in to SCSP Console.
  11. Accept the new certificate.
  12. Copy "agent-cert.ssl" to all SCSP agents.
  13. If IPS is running, restore the null policy (this can be done locally by running "sisipsconfig -r").
  14. On each agent, run "sisipsconfig -c agent-cert.ssl". It is advisable to test thoroughly on one or more agents before rolling out elsewhere.
  15. Run "sisipsconfig -t" to test the connection.