• This process involves generating and installing a new secure channel certificate signed with SHA-2, ensuring compatibility with updated cryptographic policies.
• As per modern security standards and compliance requirements, it is essential to upgrade the certificate to SHA-2 to enhance security and mitigate vulnerabilities associated with SHA-1. 

VMware

The secure channel certificate in the AVI controller is configured with SHA-1, which needs to be upgraded to SHA-2 for enhanced security.

To upgrade the secure channel certificate to SHA-2, follow these steps:

Log in to the controller via CLI.

sudo -s
cd /var/lib/avi/ca/

Comment out the line with "node.controller.local" as the CN (Common Name) in the index.txt file.

vi /var/lib/avi/ca/index.txt
### V   340211075022Z       05  unknown /C=US/ST=California/L=Santa Clara/O=Controller/CN=node.controller.local

Example: 



Create a temporary directory for the certificates:

mkdir /tmp/certs
cd /tmp/certs/

Generate a new SHA-2 certificate request:

openssl req -sha256 -new -newkey rsa:4096 -nodes -subj "/C=US/ST=California/L=Santa Clara/O=Controller/CN=node.controller.local" -keyout csr.key -out csr

Use the CA to sign the certificate:

openssl ca -name CA_default -md sha256 -config /etc/ssh/caconfig.cnf -batch -keyfile /var/lib/avi/ca/private/cakey.pem -startdate 700101000000Z -enddate 340211075022Z -notext -cert /var/lib/avi/ca/certs/cacert.pem -in csr -out leaf.crt

Copy the leaf.crt and csr.key files from the controller to the local machine using WinSCP.
or run the below command

cat /tmp/certs/leaf.crt
cat /tmp/certs/csr.key

Log in to the VMware UI and navigate to Templates > Security > SSL Certs.

Click Create > Controller Cert and Import Certificate.

Verify that the leaf.crt certificate is properly linked to the CA certificate in the UI.