Migrate SHA-1 Hash Algorithm SSL certificates to SHA-2
HI All,
I am hearing the news that SHA-1 certificates will be soon phased out on Chrome and Microsoft platforms. I am Ok with replacing public certificates with SHA-2 certificates.
But I see that our internal certificates are also issued with SHA-1 algorithm. And these SSL certificates are used in LAN to access internal sites. So Do I need to get internal certificates reissued with SHA-2(256)? If so what do I need to make the
changes on CA server to use SHA-2 algorithm.
Thanks in advance.
Mahi
On 9/20/2014 1:28 AM, "Paul Adare [MVP]" wrote:
On Sat, 20 Sep 2014 06:24:23 +0000, mahi_tweak wrote:
Could you please let me know w.r.t to phase out of SHA1, is it required to take action for Internal (private) CA servers as well?
Currently no. All of the current SHA1 deprecation notices from Microsoft
apply only to public root CAs that are part of the Microsoft Trusted Root
program.
You should start planning to migrate your internal CAs however. At some
point in time I think you'll find that all SHA1 certificates will be
deprecated.
Paul - does IE have the logic built in to know when a cert has been issued by an internal CA so that it does not flag it as unsafe? The way I see it is this is all pointless to have legacy SHA1 in your environment if the browser cant distinguish one from
the other.
This depends somewhat on what version of IE you are using. I urge anyone who is stuck with an older version to modernize ASAP.
I also recommend CA servers also be the latest version. Like Paul said, SHA-1 has been deprecated and the new SHA-2 is the new flavor of the week.
Being cynical, seems that too many problems come from suspicious efforts to make the system secure in the first place.
Please don't pay attention to anything Vegan Fanatic has to say on this topic as he is clearly out of his depth here and has no idea what he's talking about.
IE does not itself do certificate validation, that is passed off the certificate chaining engine that is built into the Windows OS. When the date arrives that SHA1 SSL and code signing certificates issued by roots in the Microsoft Trusted Root program are
no longer accepted arrives, determining whether the certificate being validated chains to an internal or an external root will be determined by the certificate chaining engine and not directly by IE.
The last sentence above makes no sense at all, and SHA2 is not "the new flavour of the week".
Similar Messages
-
How to enable SHA-2 hashing algorithm support on windows 7
Hello All,
Please suggest how to invalidate SHA-1 and MD5 algorithm on windows 7 and how to enable SHA-2.
As suggested by Microsoft, regarding the availability of SHA-2 hashing algorithm, security update KB2949927 is installed on windows 7.
Thank YouHi,
Please check if you have installed the below mentioned update:
http://support.microsoft.com/kb/2973337/en-us
After installing this update, SHA512 is enabled for TLSv1.2.
IE shall also be using TLS internally. Hope that should resolve your problem.
Please refer to the below link for a similar discussion and its solution posted there:
https://social.technet.microsoft.com/Forums/office/en-US/857c6804-8ce1-4f09-b657-00554055da16/tls-12-and-sha512?forum=winserversecurity
(Please mark as answer if it resolves your issue. Please upvote if it is helpful.)
Regards,
Rajesh -
I use SalesForce for my client CRM. I've just received a notice informing me that they are upgrading from SHA-1 hash to SHA-256 for increased HTTPS certificate security. Will my current OS X version (Mountain Lion) and Safari version (6.2.2) support this upgrade?
NEVERMIND! SalesForce provided a test page and I was able to determine that both my Mac and Windows environments and browsers support the upgrade.
-
Would anybody know what is the signature hash algorithm being used by Apple Mail ?
And can be selected ?
As NIST recommends the use of SHA-2 in 2011.
I have searched quite a while but no information is found in this area.
Thanks your help in advance !I've had the same problem now for approximately 6 months. Many of the senders in my inbox are wrong. I haven't changed anything other than upgraded to OS 10.7. It only effects some emails and not all. It is a problem when I search as well because the sender details can't be found
Please help!!!
Thanks. -
Cisco ASA image verification with SHA-512 hashes
where are the SHA-512 values provided for the
Cisco ASA image verification example -> verify disk0:/asa915-k8.bin
CCO Hash SHA-512: 84f099d63e85c24bf0f541f2d9c342b466ee6224887dd4979e806aab9c0665)
CCO provides only MD5 (yes, there is a way to calculate MD5 hash), where are the SHA-512 hashes ?
br fasbasoft-534The SHA-512 hashes would be for other (non-image) files that you are trying to verify where you have their SHA-512 hash value.
As you note, only the MD5 values are posted on cisco.com so you simply need to use the "verify /md5" option. -
We have a Certificate Authority (Version: 5.2.3790.3959) configured on Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
Currently i am only able to generate SSL cert with md5RSA.Hi,
Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
Therefore, you need to build a new CA to use a new algorithm.
More information for you:
Is it possible to change the hash algorithm when I renew the Root CA
http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
Changing public key algorithm of a CA certificate
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
modify CA configuration after Migration
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
Best Regards,
Amy Wang -
HTTPS SSL Certificate Signed using Weak Hashing Algorithm
I am support one client for, whom falls under Security scans mandatory for new implementation of ASA 5520 device . The client uses Nessus Scan and the test results are attached
The Nessus scanner hit on 1 Medium vulnerabilities, Could you pls review the statement and provide work around for the same.
Nessus Scanner reports
Medium Severity Vulnerability
Port : https (443/tcp)
Issue:
SSL Certificate Signed using Weak Hashing Algorithm
Synopsis :
The SSL certificate has been signed using a weak hash algorithm.
Description :
The remote service uses an SSL certificate that has been signed using
a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These
signature algorithms are known to be vulnerable to collision attacks.
In theory, a determined attacker may be able to leverage this weakness
to generate another certificate with the same digital signature, which
could allow him to masquerade as the affected service.
See also :
http://tools.ietf.org/html/rfc3279
http://www.phreedom.org/research/rogue-ca/
http://www.microsoft.com/technet/security/advisory/961509.mspx
http://www.kb.cert.org/vuls/id/836068
Solution :
Contact the Certificate Authority to have the certificate reissued.
Plugin Output :
Here is the service's SSL certificate :
Subject Name:
Common Name: xxxxxxxxxx
Issuer Name:
Common Name: xxxxxxxxxx
Serial Number: D8 2E 56 4E
Version: 3
Signature Algorithm: MD5 With RSA Encryption
Not Valid Before: Aug 25 11:15:36 2011 GMT
Not Valid After: Aug 22 11:15:36 2021 GMT
Public Key Info:
Algorithm: RSA Encryption
Public Key: 00 AA AB 57 9C 74 FF E9 FB 68 E1 BF 69 90 8E D2 65 7F DF 40
D6 F6 29 E7 35 5E 16 FB 76 AA 03 3F 47 07 5A D0 6D 07 E0 EC
06 7E D4 9A 43 C6 B3 A6 93 B7 76 CC 58 31 25 36 98 04 30 E6
77 56 D7 C3 EE EF 7A 79 21 5E A0 78 9B F6 1B C5 E6 2A 10 B5
CB 90 3D 6D 7C A0 8D B1 B8 76 61 7F E2 D1 00 45 E2 A1 C7 9F
57 00 37 60 27 E1 56 2A 83 F5 0E 48 36 CC 61 85 59 54 0C CB
78 82 FB 50 17 CB 7D CD 15
Exponent: 01 00 01
Signature: 00 24 51 24 25 47 62 30 73 95 37 C4 71 7E BD E4 95 68 76 35
2E AF 2B 4A 23 EE 15 AF E9 09 93 3F 02 BB F8 45 00 A1 12 A9
F7 5A 0C E8 4D DB AE 92 70 E4 4C 24 10 58 6B A9 87 E1 F0 12
AE 12 18 E8 AB DF B9 02 F7 DA BE 3C 45 02 C4 1E 81 44 C2 74
25 A2 81 E7 D6 38 ED B9 66 4C 4A 17 AC E3 05 1A 01 14 88 23
E8 9F 3B 5C C5 B8 13 97 27 17 C3 02 5F 6E 7C DB 4C D3 65 B5
C5 FC 94 62 59 04 E7 7E FB
CVE :
CVE-2004-2761
BID :
BID 11849
BID 33065
Other References :
OSVDB:45106
OSVDB:45108
OSVDB:45127
CWE:310
Nessus Plugin ID :
35291
VulnDB ID:
69469
and try with configure the ssl encryption method with " ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5" but it throws the same issue.
Here is ASA log
7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxx/2586
6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2586
6|Oct 19 2011 01:59:34|725007: SSL session with client production:xxxxxxxx/2586 terminated.
6|Oct 19 2011 01:59:34|302014: Teardown TCP connection 3201 for production:xxxxxxx/2586 to identity:xxxxxx/443 duration 0:00:00 bytes 758 TCP Reset-I
6|Oct 19 2011 01:59:34|302013: Built inbound TCP connection 3202 for production:xxxxxxxxxxx/2587 (xxxxxxxxx/2587) to identity:xxxxxx/443 (xxxxxxx/443)
6|Oct 19 2011 01:59:34|725001: Starting SSL handshake with client production:xxxxxxxxxxx/2587 for TLSv1 session.
7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxxxx/2587
6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2587
HHi Ramkumar,
The report is complaining that the Certificate Authority who signed the ID certificate presented by the ASA used a weak hashing algorithm. First, you need to determine who signed the certificate.
If the certificate is self-signed by the ASA, you can generate a new certificate and use SHA1 as the hashing algorithm. To do this, the ASA needs to be running a software version that is at least 8.2(4) (8.3 and 8.4 software also support SHA1).
If the certificate is signed by an external CA, you need to contact them and ask them to sign a new certificate for you using SHA instead of MD5.
The links you posted have more information on this as well. Hope that helps.
-Mike -
Hi,
I just want to know,
What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH).
if support already,
how can i setting.
plz. help me!!!The following blog states that SQL Server "leverages the SChannel layer (the SSL/TLS layer provided
by Windows) for facilitating encryption. Furthermore, SQL Server will completely rely upon SChannel to determine the best encryption cipher suite to use." meaning that the version of SQL Server you are running has no bearing on which
encryption method is used to encrypt connections between SQL Server and clients.
http://blogs.msdn.com/b/sql_protocols/archive/2007/06/30/ssl-cipher-suites-used-with-sql-server.aspx
So the question then becomes which versions of Windows Server support TLS 1.2. The following article indicates that Windows Server 2008 R2 and beyond support TLS 1.2.
http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
So if you are running SQL Server on Windows Server 2008 R2 or later you should be able to enable TLS 1.2 and install a TLS 1.2 certificate. By following the instructions in the following article you should then be able to enable TLS 1.2 encryption
for connections between SQL Server and your clients:
http://support.microsoft.com/kb/316898
I hope that helps. -
SSL certificate migration.
Hi all,
I had to upgrade my production server from 4.1 to 6.0sp4. The server was also different as we can't afford any big down-time. I couldn't find any iWS related proper documentation for SSL certificate migration between different servers, so I did a hack and copied the cert7.db and key3 db manually and renamed it as expected...
I was never sure if I was doing right.... BUT IT WORKED :-)
Now after setting up live server for a months, I am getting complains about certificate errors and/or warnings from various customers. In all cases there is a problem coz of 'ancient' browsers (like lesser than IE5 or NS4.7). Any mordern browser is working perfectly (including my favorite Opera). And customers are happy again coz site is working fine after browser upgrade. But my concern is:
HAVE I DONE ANYTHING WRONG IN SSL MIGRATION OR ITZ JUST iWS 6.0's PROBLEM?
Any info / suggestion will be highly appreciated.
Thanx.There isn't enough information for me to be certain, but I suspect the errors are unrelated to anything on the server side. The most likely explanation is that the ancient browsers have an expired root CA cert for the CA that signed your certificate. Upgrading either the browser or the browser's root CA certs would address the problem.
Copying the trust database files from iWS 4.1 to iWS 6.0 is safe. -
WILL MAC OS 10.4 server SUPPORT SHA-2 SSL CERTIFICATES
Am running Mac OS Server 10.4.11 on a PowerPC Mac Mini (1.42GHz) and currently have SHA-1 SSL certificate from GoDaddy.
They want everyone to upgrade to a SHA-2 (SHA256) SSL certificate for Google's Chrome browser which will soon start showing SSL errors for SHA-1 certificates.
Is Mac OS Server 10.4.11 capable of serving up a SHA-2 SSL certificate? (I originally renewed last Feb. to a SHA-2 certificate, but many browsers didn't recognize it, so I re-keyed to a SHA-1 certificate that is good to 12/31/15.Hi, I do not know, but I doubt it.
Here's the 10.4 Server forum if you want to ask over there...
Mac OS X Server v10.4 and earlier -
Outlook Web Access fails after migrating SSL certificate to dedicated SSL gateway
Hi we have just migrated our SSL certificate form our Outlook exchange server, outlook web access works perfectly but two of our users who have Blackberry devices set up to get their email via owa now fail.
Everything worked fine before the migration.
The new SSL gateway is an Apache box running mod_proxy, mod_SSL and mod_sec. Protecting the box running owa and IIS6.
I can provide the http.conf etc, but I can see the traffic passed by Apache but I am getting a 401 message on the way back through to the device.
Is there a specific IIS/Exchange or Apache config I need to enable to allow BB access?
Thanks in advance
MikeHello there!
You may have run up against some of the complexities between BIS and OWA. There are a couple of circumstances where BIS can't integrate to OWA. Plus, if the mailbox name changed, that may be the problem as well. While I'm neither a BIS nor OWA admin, I can point you to information resources that hopefully can help you.
Try this article.
And this one.
And this one.
And this one.
You also can search the public KBs for more relevant articles:
http://www.blackberry.com/btsc/microsites/microsite.do
Good luck and let us know!
Occam's Razor nearly always applies when troubleshooting technology issues!
If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
Join our BBM Channels
BSCF General Channel
PIN: C0001B7B4 Display/Scan Bar Code
Knowledge Base Updates
PIN: C0005A9AA Display/Scan Bar Code -
Which SHA hash algorithm is DS 5.1 using?
i'm trying to find out whether DS 5.1 uses the SHA-1 (160 bit) or the SHA-256 (256bit). i'm using coldfusion to query the directory and in order to compare password given by the user with the one stored in the directory i should hash the given password. coldfusion (a library, it's not a default function) has two differnt hash algorithms SHA-1 and SHA-256, which one should i use?
ioannaDS uses SHA-1 (160 bit). And I'm not sure what you are proposing will work. I think you need the salt to generate the hash. Why do you need to compare the password outside the directory? You might be able to use the LDAP compare operation.
-
Can anybody tell me which files I need to copy to migrate ssl certificates from Tiger server to Leopard server? I've noticed that the files in /etc/certificates relate to the certificates in /Library/Keychains/system.keychain... is it simply a matter of copying these files to the same locations in Leopard?
You should be able to use Keychain to export those certificates on the old box and then use Keychain on the new box to import them. Otherwise you can always do it on the command line via openssl...
-
SHA-2 SSL certificates supported on Server v10.5?
Am upgrading Mac OS Server 10.4.11 on a PowerPC Mac Mini (1.42GHz) to Server 10.5 and currently have SHA-1 SSL certificate from GoDaddy.
They want everyone to upgrade to a SHA-2 (SHA256) SSL certificate for Google's Chrome browser which will soon start showing SSL errors for SHA-1 certificates.
Is Mac OS Server 10.5 capable of serving up a SHA-2 SSL certificate? (I originally renewed last Feb. to a SHA-2 certificate, but many browsers didn't recognize it, so I re-keyed to a SHA-1 certificate that is good to 12/31/15.
Mac mini, Mac OS X Server (10.4.11, upgrading to 10.5.x), Power PC 1.42GHzHi, I do not know, but I doubt it.
Here's the 10.4 Server forum if you want to ask over there...
Mac OS X Server v10.4 and earlier -
SA520 Wildcard SSL Certificate?
I have a wildcard SSL certificate for our domain from RapidSSL. I installed the intermediary certificates fine but I can't get the acutal cert to install. I get the message "Can't Upload Invalid Self Certificate" message. Has anyone else ever successfully used a wildcard cert with an SA?
Hello Mr. Williamson,
In order to get a new SSL certificate please follow the next instructions:
STEP 1 : Click Administration > Authentication.
The Authentication (Certificates) window opens.
STEP 2 For each type of certificate, perform the following actions, as needed:
• To add a certificate, click Upload. You can upload the certificate from the PC
or the USB device. Click Browse, find and select the certificate, and then
click Upload.
• To delete a certificate, check the box to select the certificate, and then click
Delete.
• To download the router’s certificate (.pem file), click the Download button
under the Download Settings area.
STEP 3 To request a certificate from the CA, click Generate CSR.
The Generate Certification Signing Request window opens.
a. Enter the distinguished name information in the Generate Self Certificate
Request fields.
• Name: Unique name used to identify a certificate.
• Subject: Name of the certificate holder (owner). The subject field populates
the CN (Common Name) entry of the generated certificate and can contain
these fields:
- CN=Common Name
- O=Organization
- OU=Organizational unit
- L= Locality
- ST= State
- C=Country
For example: CN=router1, OU=my_dept, O=my_company, L=SFO, C=US
Whatever name you choose will appear in the subject line of the generated
CSR. To include more than one subject field, enter each subject separated
by a comma. For example: CN=hostname.domain.com, ST=CA, C=USA
• Hash Algorithm: Algorithm used by the certificate. Choose between MD5
and SHA-1
• Signature Algorithm: Algorithm (RSA) used to sign the certificate.
• Signature Key Length: Length of the signature, either 512 or 1024.
• (Optional) IP Address, Domain Name, and Email Address
b. Click Generate.
A new certificate request is created and added to the Certification Signing
Request (CSR) table. To view the request, click the View button next to the
certificate you just created.
Or you could check it on the next link. please check page 191
http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/administration/guide/SA500_AG_OL1911404.pdf
hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
Thank you
Maybe you are looking for
-
Multiple Rotate3d filters makes everything looks blurry
Hi I have a Flex 4 project that uses two rotate filters. Once it to rotate the main container and the other to rotate an internal element. The issue is that when applied simultaneously text, and everything looks blurry. If I add a delay time to one o
-
How do I put a link to my homepage rather than the page where my podcasts reside in my feed?
I'm working through getting everything to work and now I'm trying to tweek a few things. Specifically where it lists the website I'd like it to link back to the main page rather than the hidden page that drives the feed resides.
-
How do I control the speed of a 24 volt DC motor with a 5 volt signal?
Hi guys, I need your expertise here. I am trying to control the speed of a 24 volt dc motor for a project. To do this I am using a MOSFET transistor. I am using the 5 volt output from a NI myDAQ microcontroller. When I connect up the circuit, the MOS
-
ICloud TV and movies won't stream on iPad4 and iphone 5
iCloud TV and movies won't stream on iPad4 and iphone 5.. I get a black loading screen then it reverts back to the movie or tv show page after about to seconds any ideas? Server glitch on apples end?
-
Netbackup related parameters when restoring from tape to a different server
Db version: 11.2.0.2 / Solaris 10 Media Management layer : Symantec Netbackup v7 Production server : qualmh214 Prod DB Name : NEHPROD We take backup of our prod database using a script similair to the below run ALLOCATE CHANNEL c1 TYPE 'SBT_TAPE