SHA2 Certificate Migration

A bit of clarification... I am running 11.2.1. I am only concerned about the key possibly being created in a way that does not fully support the sha2 signing algorithm. The F5 CSRs signing algorithm shows SHA1 when running certutil. However, the PKI (internal or third party) signs with SHA2 and the import works successfully with the correct algorithm. I'm only making sure to cover all bases.

Thanks!

Hi Same situation here and I really want to hear any suggestion.

I never received a confident answer one way or the other, but I've had no problems with creating the CSR within the GUI and having it singed with SHA-2. There is no difference in the way that the keys are generated from what I can tell. If you run certutil within Windows or examine the CSR attributes you will see a SHA-1 signing algorithm. However, as long as your CA signs with SHA-2 it will update accordingly. The other solution is to create the CSR using openssl, but I haven't deemed that necessary. Make sure you update your certificate chains as well :)

Thanks ZacW

Their concern is that the key is created differently when requesting SHA1 vs SHA2. I'm not sure if that is truly the case which is why I'm asking for clarification.

i think it (csr's signature algorithm) does not matter as long as ca signs it using sha2.

Are certificate authorities required to obey to the signature algorithm (hashing) specified in the CSR?

I think we can generate a CSR from F5 CLI using OpenSSL tool for SHA2. I recently did the same using the following command to generate the SHA2 CSR.

openssl req -out /var/tmp/Test1.csr -key /var/tmp/Test.key -new -sha256

Source article:

http://itigloo.com/security/generate-an-openssl-certificate-request-with-sha-256-signature/

I hope this would help.

Cheers! Darshan