Forum Discussion

TomNSCPO8_12229's avatar
TomNSCPO8_12229
Icon for Nimbostratus rankNimbostratus
Oct 05, 2016

updating Iapp from SHA-1 to SHA-256

Hi All, just a quick question. What is best practice or recent success stories on updating a SHA-1 to SHA-256 cert on a profile built by an Iapp. I know turning off strict updates allows you to do it but, can you just update the profile? I did not do a renew on the cert through the CA ( a coworker bought it as it was new).

 

Thanks

 

1 Reply

  • In my experience --

     

    My unfiltered thoughts: A cert is a cert no matter how / where it is made.

     

    To modify the certificate to SHA-256, you "renew" the certificate and apply for a new SHA-256 certificate with the same CN and SAN's. --or modified / new SAN's

     

    OR -- Create a new SSL profile with the SHA256 certificate and apply it to the VS's you want updated.

     

    When you receive the new certificate: Paste in the hash to the certificate you renewed.

     

    I have updated hundreds of SSL profiles with expired certs, with the same CN and SAN's or modified SAN. When one connects to a VIP, their session has already negotiated. When you apply the new certificate, everyone after the modification will then use the SHA-256.

     

    -- Before I left my last job, I tested this with success. --No calls ha!

     

    My cheat

     

    I use the F5 to create all of my certificates. :) Cuts down on the time to type the commands.. haha!

     

    -Just don't convert it to FIPS or you are Skeee Rewwwed! You can export the Certs to whatever server you want.