Question on the impact of PIM from SHA-1 certificate suspension

book

Article ID: 209246

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

The issue of SHA-1 certificates will be stopped by Microsoft and Windows OS will stop supporting SHA-1 certificates.

So does PIM use SHA-1 certificates? Or, if the SHA-1 certificate is stopped, will PIM be affected?

Does there exist a hotfix/patch to resolve this problem?

Cause

All the PIM endpoint and PAMSC binaries are digitally signed using the SHA-1 certificate.

Environment

Release: 12.8x and higher till PAMSC 14.1 CP02 (As of the writing of this document)

Component: CA Control Minder / PAMSC

Operating System: Windows 2008, 2012, 2016

Resolution

1) We take the liberty to assume that you don't use the SECURE BOOT feature on windows 2016. If it's otherwise, that is if you turn on the Secure Boot feature then our drivers (in the OS versions mentioned above) won't function.

2) PIM drivers, assuming that Secure Boot is Disabled, (v12.81.3083,  v12.80.1587, and v12.80.1432) should work in the normal way even beyond the cutoff expiry date since that's an already signed one. So you should have no problem running the same versions on all three platform versions. (given Secure Boot is Disabled). The same is applicable for R14.x releases.

3) For any new Kernel driver releases, upgrades, or patch these certificates won't work till MS HCK/HLK tests followed by direct (not a third party) MS certification is obtained.
or in short new driver releases won't work past the cutoff expiry date.

Attachments