Hi Dave,
start with a complete platform backup including the private keys, please.
Now just create a new private key and a CSR using SHA256 and send let it sign by your CA.
(It should even work to send your previous SHA1 based CSR and let it sign with a SHA256 hash by the CA.)
Make sure to use a
new objectname (no extension like .crt required) to avoid overwriting the existing key/cert data.
Signing the new CSR should be free of charge in my opinion as as it is for the same CN and SANs and if is still valid.
After receiving the new signed certificate and intermediate.ca file from your CA you will create a new client-ssl profile with the key/cert/chain and assign it step-by-step to your virtual servers.
Before sending the CSR to your CA you can verify it locally in shell (
cat
will wait for you pasting the CSR text and pipe it to
openssl
which will decode it and generates some output):
cat | openssl req -noout -text
Now paste your CSR and it should return some data including the 'Signature Algorithm' showing sha256WithRSAEncryption. (As mentioned before, this is not mandatory for getting a SHA256 signed cert from your CA in my opinion.)
Same procedure when receiving the signed cert. Paste it into the following:
cat | openssl x509 -noout -text
The output should also show a SHA256 signature.
That´s it. Perhaps you have a test environment (i.e. BIG-IP Virtual Edition) to run all this offline before importing the key/cert pair to your production system.
Thanks, Stephan