Migrate SHA-1 Hash Algorithm SSL certificates to SHA-2

HI All,
I am hearing the news that SHA-1 certificates will be soon phased out on Chrome and Microsoft platforms. I am Ok with replacing public certificates with SHA-2 certificates.
But I see that our internal certificates are also issued with SHA-1 algorithm. And these SSL certificates are used in LAN to access internal sites. So Do I need to get internal certificates reissued with SHA-2(256)? If so what do I need to make the
changes on CA server to use SHA-2 algorithm.
Thanks in advance.
Mahi

On 9/20/2014 1:28 AM, "Paul Adare [MVP]" wrote:
On Sat, 20 Sep 2014 06:24:23 +0000, mahi_tweak wrote:
Could you please let me know w.r.t to phase out of SHA1, is it required to take action for Internal (private) CA servers as well?
Currently no. All of the current SHA1 deprecation notices from Microsoft
apply only to public root CAs that are part of the Microsoft Trusted Root
program.
You should start planning to migrate your internal CAs however. At some
point in time I think you'll find that all SHA1 certificates will be
deprecated.
Paul - does IE have the logic built in to know when a cert has been issued by an internal CA so that it does not flag it as unsafe? The way I see it is this is all pointless to have legacy SHA1 in your environment if the browser cant distinguish one from
the other.
This depends somewhat on what version of IE you are using. I urge anyone who is stuck with an older version to modernize ASAP.
I also recommend CA servers also be the latest version. Like Paul said, SHA-1 has been deprecated and the new SHA-2 is the new flavor of the week.
Being cynical, seems that too many problems come from suspicious efforts to make the system secure in the first place.
Please don't pay attention to anything Vegan Fanatic has to say on this topic as he is clearly out of his depth here and has no idea what he's talking about.
IE does not itself do certificate validation, that is passed off the certificate chaining engine that is built into the Windows OS. When the date arrives that SHA1 SSL and code signing certificates issued by roots in the Microsoft Trusted Root program are
no longer accepted arrives, determining whether the certificate being validated chains to an internal or an external root will be determined by the certificate chaining engine and not directly by IE.
The last sentence above makes no sense at all, and SHA2 is not "the new flavour of the week".

Similar Messages

  • How to enable SHA-2 hashing algorithm support on windows 7

    Hello All,
    Please suggest how to invalidate SHA-1 and MD5 algorithm on windows 7 and how to enable SHA-2.
    As suggested by Microsoft, regarding the availability of SHA-2 hashing algorithm, security update KB2949927 is installed on windows 7.
    Thank You

    Hi,
    Please check if you have installed the below mentioned update:
    http://support.microsoft.com/kb/2973337/en-us
    After installing this update, SHA512 is enabled for TLSv1.2.
    IE shall also be using TLS internally. Hope that should resolve your problem.
    Please refer to the below link for a similar discussion and its solution posted there:
    https://social.technet.microsoft.com/Forums/office/en-US/857c6804-8ce1-4f09-b657-00554055da16/tls-12-and-sha512?forum=winserversecurity
    (Please mark as answer if it resolves your issue. Please upvote if it is helpful.)
    Regards,
    Rajesh

  • Do Mountain Lion and Safari 6.2.2 support SHA-256 Hash algorithms in HTTPS security certificates?

    I use SalesForce for my client CRM. I've just received a notice informing me that they are upgrading from SHA-1 hash to SHA-256 for increased HTTPS certificate security. Will my current OS X version (Mountain Lion) and Safari version (6.2.2) support this upgrade?

    NEVERMIND! SalesForce provided a test page and I was able to determine that both my Mac and Windows environments and browsers support the upgrade.

  • Signature hash algorithm (e.g. SHA-1, SHA-256...) used in Apple Mail ?

    Would anybody know what is the signature hash algorithm being used by Apple Mail ?
    And can be selected ?
    As NIST recommends the use of SHA-2 in 2011.
    I have searched quite a while but no information is found in this area.
    Thanks your help in advance !

    I've had the same problem now for approximately 6 months. Many of the senders in my inbox are wrong. I haven't changed anything other than upgraded to OS 10.7. It only effects some emails and not all. It is a problem when I search as well because the sender details can't be found
    Please help!!!
    Thanks.

  • Cisco ASA image verification with SHA-512 hashes

    where are the SHA-512 values provided for the 
    Cisco ASA image verification example -> verify disk0:/asa915-k8.bin
    CCO Hash      SHA-512: 84f099d63e85c24bf0f541f2d9c342b466ee6224887dd4979e806aab9c0665)
    CCO provides only MD5  (yes, there is a way to calculate MD5 hash), where are the SHA-512 hashes ?
    br fasbasoft-534

    The SHA-512 hashes would be for other (non-image) files that you are trying to verify where you have their SHA-512 hash value.
    As you note, only the MD5 values are posted on cisco.com so you simply need to use the "verify /md5" option.

  • Generate SSL cert with stronger signature algorithm such as RSA-SHA 1 or SHA 2 from Certificate Authority Version: 5.2.3790.3959

    We have a Certificate Authority (Version: 5.2.3790.3959) configured on  Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
    Currently i am only able to generate SSL cert with md5RSA.

    Hi,
    Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
    Therefore, you need to build a new CA to use a new algorithm.
    More information for you:
    Is it possible to change the hash algorithm when I renew the Root CA
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
    Changing public key algorithm of a CA certificate
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
    modify CA configuration after Migration
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
    Best Regards,
    Amy Wang

  • HTTPS SSL Certificate Signed using Weak Hashing Algorithm

    I am support one client for,  whom falls under Security  scans mandatory for new implementation of ASA 5520 device .  The client uses Nessus Scan and  the test results are attached
    The Nessus scanner hit on 1 Medium vulnerabilities, Could you pls review the statement and provide work around for the same.
    Nessus Scanner reports
    Medium Severity Vulnerability
    Port : https (443/tcp)
    Issue:
    SSL Certificate Signed using Weak Hashing  Algorithm
    Synopsis :
    The SSL certificate has been signed using  a weak hash algorithm.
    Description :
    The remote service uses an  SSL certificate that has been signed using
    a cryptographically weak hashing  algorithm - MD2, MD4, or MD5. These
    signature algorithms are known to be  vulnerable to collision attacks.
    In theory, a determined attacker may be  able to leverage this weakness
    to generate another certificate with the same  digital signature, which
    could allow him to masquerade as the affected  service.
    See also :
    http://tools.ietf.org/html/rfc3279
    http://www.phreedom.org/research/rogue-ca/
    http://www.microsoft.com/technet/security/advisory/961509.mspx
    http://www.kb.cert.org/vuls/id/836068
    Solution :
    Contact the Certificate Authority to have the certificate  reissued.
    Plugin Output :
    Here is the service's SSL certificate  :
    Subject Name:
    Common Name: xxxxxxxxxx
    Issuer Name:
    Common Name: xxxxxxxxxx
    Serial Number: D8 2E 56 4E
    Version: 3
    Signature Algorithm: MD5 With RSA  Encryption
    Not Valid Before: Aug 25 11:15:36 2011 GMT
    Not Valid After:  Aug 22 11:15:36 2021 GMT
    Public Key Info:
    Algorithm: RSA  Encryption
    Public Key: 00 AA AB 57 9C 74 FF E9 FB 68 E1 BF 69 90 8E D2 65 7F  DF 40
    D6 F6 29 E7 35 5E 16 FB 76 AA 03 3F 47 07 5A D0 6D 07 E0 EC
    06 7E  D4 9A 43 C6 B3 A6 93 B7 76 CC 58 31 25 36 98 04 30 E6
    77 56 D7 C3 EE EF 7A  79 21 5E A0 78 9B F6 1B C5 E6 2A 10 B5
    CB 90 3D 6D 7C A0 8D B1 B8 76 61 7F  E2 D1 00 45 E2 A1 C7 9F
    57 00 37 60 27 E1 56 2A 83 F5 0E 48 36 CC 61 85 59  54 0C CB
    78 82 FB 50 17 CB 7D CD 15
    Exponent: 01 00 01
    Signature: 00 24 51 24 25 47 62 30 73 95 37 C4 71 7E BD E4 95 68 76 35
    2E AF 2B 4A 23 EE 15 AF E9 09 93 3F 02 BB F8 45 00 A1 12 A9
    F7 5A 0C E8  4D DB AE 92 70 E4 4C 24 10 58 6B A9 87 E1 F0 12
    AE 12 18 E8 AB DF B9 02 F7  DA BE 3C 45 02 C4 1E 81 44 C2 74
    25 A2 81 E7 D6 38 ED B9 66 4C 4A 17 AC E3  05 1A 01 14 88 23
    E8 9F 3B 5C C5 B8 13 97 27 17 C3 02 5F 6E 7C DB 4C D3 65  B5
    C5 FC 94 62 59 04 E7 7E FB
    CVE :
    CVE-2004-2761
    BID :
    BID 11849
    BID  33065
    Other References :
    OSVDB:45106
    OSVDB:45108
    OSVDB:45127
    CWE:310
    Nessus Plugin ID  :
    35291
    VulnDB ID:
    69469
    and try with configure the ssl encryption method with " ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5" but it throws the same issue.
    Here is ASA log
    7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
    7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
    7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxx/2586
    6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2586
    6|Oct 19 2011 01:59:34|725007: SSL session with client production:xxxxxxxx/2586 terminated.
    6|Oct 19 2011 01:59:34|302014: Teardown TCP connection 3201 for production:xxxxxxx/2586 to identity:xxxxxx/443 duration 0:00:00 bytes 758 TCP Reset-I
    6|Oct 19 2011 01:59:34|302013: Built inbound TCP connection 3202 for production:xxxxxxxxxxx/2587 (xxxxxxxxx/2587) to identity:xxxxxx/443 (xxxxxxx/443)
    6|Oct 19 2011 01:59:34|725001: Starting SSL handshake with client production:xxxxxxxxxxx/2587 for TLSv1 session.
    7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
    7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
    7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxxxx/2587
    6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2587
    H

    Hi Ramkumar,
    The report is complaining that the Certificate Authority who signed the ID certificate presented by the ASA used a weak hashing algorithm. First, you need to determine who signed the certificate.
    If the certificate is self-signed by the ASA, you can generate a new certificate and use SHA1 as the hashing algorithm. To do this, the ASA needs to be running a software version that is at least 8.2(4) (8.3 and 8.4 software also support SHA1).
    If the certificate is signed by an external CA, you need to contact them and ask them to sign a new certificate for you using SHA instead of MD5.
    The links you posted have more information on this as well. Hope that helps.
    -Mike

  • What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH)

    Hi,
    I just want to know,
    What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH).
    if support already,
    how can i setting.
    plz.  help me!!! 

    The following blog states that SQL Server "leverages the SChannel layer (the SSL/TLS layer provided
    by Windows) for facilitating encryption.  Furthermore, SQL Server will completely rely upon SChannel to determine the best encryption cipher suite to use." meaning that the version of SQL Server you are running has no bearing on which
    encryption method is used to encrypt connections between SQL Server and clients.
    http://blogs.msdn.com/b/sql_protocols/archive/2007/06/30/ssl-cipher-suites-used-with-sql-server.aspx
    So the question then becomes which versions of Windows Server support TLS 1.2.  The following article indicates that Windows Server 2008 R2 and beyond support TLS 1.2.
    http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
    So if you are running SQL Server on Windows Server 2008 R2 or later you should be able to enable TLS 1.2 and install a TLS 1.2 certificate.  By following the instructions in the following article you should then be able to enable TLS 1.2 encryption
    for connections between SQL Server and your clients:
    http://support.microsoft.com/kb/316898
    I hope that helps.

  • SSL certificate migration.

    Hi all,
    I had to upgrade my production server from 4.1 to 6.0sp4. The server was also different as we can't afford any big down-time. I couldn't find any iWS related proper documentation for SSL certificate migration between different servers, so I did a hack and copied the cert7.db and key3 db manually and renamed it as expected...
    I was never sure if I was doing right.... BUT IT WORKED :-)
    Now after setting up live server for a months, I am getting complains about certificate errors and/or warnings from various customers. In all cases there is a problem coz of 'ancient' browsers (like lesser than IE5 or NS4.7). Any mordern browser is working perfectly (including my favorite Opera). And customers are happy again coz site is working fine after browser upgrade. But my concern is:
    HAVE I DONE ANYTHING WRONG IN SSL MIGRATION OR ITZ JUST iWS 6.0's PROBLEM?
    Any info / suggestion will be highly appreciated.
    Thanx.

    There isn't enough information for me to be certain, but I suspect the errors are unrelated to anything on the server side. The most likely explanation is that the ancient browsers have an expired root CA cert for the CA that signed your certificate. Upgrading either the browser or the browser's root CA certs would address the problem.
    Copying the trust database files from iWS 4.1 to iWS 6.0 is safe.

  • WILL MAC OS 10.4 server SUPPORT SHA-2 SSL CERTIFICATES

    Am running Mac OS Server 10.4.11 on a PowerPC Mac Mini (1.42GHz) and currently have SHA-1 SSL certificate from GoDaddy.
    They want everyone to upgrade to a SHA-2 (SHA256) SSL certificate for Google's Chrome browser which will soon start showing SSL errors for SHA-1 certificates.
    Is Mac OS Server 10.4.11 capable of serving up a SHA-2 SSL certificate?  (I originally renewed last Feb. to a SHA-2 certificate, but many browsers didn't recognize it, so I re-keyed to a SHA-1 certificate that is good to 12/31/15.

    Hi, I do not know, but I doubt it.
    Here's the 10.4 Server forum if you want to ask over there...
    Mac OS X Server v10.4 and earlier

  • Outlook Web Access fails after migrating SSL certificate to dedicated SSL gateway

    Hi we have just migrated our SSL certificate form our Outlook exchange server, outlook web access works perfectly but two of our users who have Blackberry devices set up to get their email via owa now fail. 
    Everything worked fine before the migration.
    The new SSL gateway is an Apache box running mod_proxy, mod_SSL and mod_sec.  Protecting the box running owa and IIS6.
    I can provide the http.conf etc, but I can see the traffic passed by Apache but I am getting a 401 message on the way back through to the device.
    Is there a specific IIS/Exchange or Apache config I need to enable to allow BB access?
    Thanks in advance
    Mike

    Hello there!
    You may have run up against some of the complexities between BIS and OWA. There are a couple of circumstances where BIS can't integrate to OWA. Plus, if the mailbox name changed, that may be the problem as well. While I'm neither a BIS nor OWA admin, I can point you to information resources that hopefully can help you.
    Try this article.
    And this one.
    And this one.
    And this one.
    You also can search the public KBs for more relevant articles:
    http://www.blackberry.com/btsc/microsites/microsite.do
    Good luck and let us know!
    Occam's Razor nearly always applies when troubleshooting technology issues!
    If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
    Join our BBM Channels
    BSCF General Channel
    PIN: C0001B7B4   Display/Scan Bar Code
    Knowledge Base Updates
    PIN: C0005A9AA   Display/Scan Bar Code

  • Which SHA hash algorithm is DS 5.1 using?

    i'm trying to find out whether DS 5.1 uses the SHA-1 (160 bit) or the SHA-256 (256bit). i'm using coldfusion to query the directory and in order to compare password given by the user with the one stored in the directory i should hash the given password. coldfusion (a library, it's not a default function) has two differnt hash algorithms SHA-1 and SHA-256, which one should i use?
    ioanna

    DS uses SHA-1 (160 bit). And I'm not sure what you are proposing will work. I think you need the salt to generate the hash. Why do you need to compare the password outside the directory? You might be able to use the LDAP compare operation.

  • Migrating SSL certificates

    Can anybody tell me which files I need to copy to migrate ssl certificates from Tiger server to Leopard server? I've noticed that the files in /etc/certificates relate to the certificates in /Library/Keychains/system.keychain... is it simply a matter of copying these files to the same locations in Leopard?

    You should be able to use Keychain to export those certificates on the old box and then use Keychain on the new box to import them. Otherwise you can always do it on the command line via openssl...

  • SHA-2 SSL certificates supported on Server v10.5?

    Am upgrading Mac OS Server 10.4.11 on a PowerPC Mac Mini (1.42GHz) to Server 10.5  and currently have SHA-1 SSL certificate from GoDaddy.
    They want everyone to upgrade to a SHA-2 (SHA256) SSL certificate for Google's Chrome browser which will soon start showing SSL errors for SHA-1 certificates.
    Is Mac OS Server 10.5 capable of serving up a SHA-2 SSL certificate?  (I originally renewed last Feb. to a SHA-2 certificate, but many browsers didn't recognize it, so I re-keyed to a SHA-1 certificate that is good to 12/31/15.
    Mac mini, Mac OS X Server (10.4.11, upgrading to 10.5.x), Power PC 1.42GHz

    Hi, I do not know, but I doubt it.
    Here's the 10.4 Server forum if you want to ask over there...
    Mac OS X Server v10.4 and earlier

  • SA520 Wildcard SSL Certificate?

    I have a wildcard SSL certificate for our domain from RapidSSL.  I installed the intermediary certificates fine but I can't get the acutal cert to install.  I get the message "Can't Upload Invalid Self Certificate" message.  Has anyone else ever successfully used a wildcard cert with an SA?

    Hello Mr. Williamson,
    In order to get a new SSL certificate please follow the next instructions:
    STEP 1 : Click Administration > Authentication.
    The Authentication (Certificates) window opens.
    STEP 2 For each type of certificate, perform the following actions, as needed:
    • To add a certificate, click Upload. You can upload the certificate from the PC
    or the USB device. Click Browse, find and select the certificate, and then
    click Upload.
    • To delete a certificate, check the box to select the certificate, and then click
    Delete.
    • To download the router’s certificate (.pem file), click the Download button
    under the Download Settings area.
    STEP 3 To request a certificate from the CA, click Generate CSR.
    The Generate Certification Signing Request window opens.
    a. Enter the distinguished name information in the Generate Self Certificate
    Request fields.
    • Name: Unique name used to identify a certificate.
    • Subject: Name of the certificate holder (owner). The subject field populates
    the CN (Common Name) entry of the generated certificate and can contain
    these fields:
    - CN=Common Name
    - O=Organization
    - OU=Organizational unit
    - L= Locality
    - ST= State
    - C=Country
    For example: CN=router1, OU=my_dept, O=my_company, L=SFO, C=US
    Whatever name you choose will appear in the subject line of the generated
    CSR. To include more than one subject field, enter each subject separated
    by a comma. For example: CN=hostname.domain.com, ST=CA, C=USA
    • Hash Algorithm: Algorithm used by the certificate. Choose between MD5
    and SHA-1
    • Signature Algorithm: Algorithm (RSA) used to sign the certificate.
    • Signature Key Length: Length of the signature, either 512 or 1024.
    • (Optional) IP Address, Domain Name, and Email Address
    b. Click Generate.
    A new certificate request is created and added to the Certification Signing
    Request (CSR) table. To view the request, click the View button next to the
    certificate you just created.
    Or you could check it on the next link. please check page 191
    http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/administration/guide/SA500_AG_OL1911404.pdf
    hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.
    Thank you

Maybe you are looking for