Security

Reply
Aruba Employee
Posts: 64
Registered: ‎11-30-2009

Migrating certs from SHA-1 to SHA-2

Heads up guys - there are changes coming up with Google Chrome in regards to errors it'll display if SHA-1 is used for SSL certificates. Solution - migrate the certs to SHA-2. Checkout the articles below:

 

https://garage.godaddy.com/webpro/security/google-chrome-phasing-ssl-certs-using-sha-1/


http://googleonlinesecurity.blogspot.sg/2014/09/gradually-sunsetting-sha-1.html

 

 

Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: Migrating certs from SHA-1 to SHA-2

What are the controller certificates using?, it looks like SHA-1.

Aruba Employee
Posts: 64
Registered: ‎11-30-2009

Re: Migrating certs from SHA-1 to SHA-2

Indeed it appears so. I have escalated it to the appropriate team internally

Moderator
Posts: 243
Registered: ‎09-12-2007

Re: Migrating certs from SHA-1 to SHA-2

ArubaOS has had support for SHA256 and SHA384 since version 6.1.  The certificates installed on it are using whatever you requested when you installed those certificates.  Because you're not using "securelogin.arubanetworks.com" in a production network, right? :)

---
Jon Green, ACMX, CISSP
Security Guy
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: Migrating certs from SHA-1 to SHA-2

Most of our customers are, for many reasons. Some can't get a public certificate as they don't own a domain. Some simply cant be bothered replacing it.

Moderator
Posts: 243
Registered: ‎09-12-2007

Re: Migrating certs from SHA-1 to SHA-2

I have a hard time being sympathetic to this - domains and certificate are very inexpensive these days.  The bigger concern I have is that use of a common certificate, which doesn't cause browser warnings, gives people the impression of security when actually there is none.  Maybe Chrome generating SHA1 warnings will help people understand that this certificate is not safe to be using.

 

Once this latest certificate expires (unfortunately not until 2017) I think we're going to move to a model where each controller generates a self-signed certificate.  Using a public certificate where the private key is known to everyone is ultimately a disservice to our customers, and we probably shouldn't have started doing it way back in the day.  Had I known...

---
Jon Green, ACMX, CISSP
Security Guy
Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: Migrating certs from SHA-1 to SHA-2

I think moving to a self-signed controller cert is a fantastic idea!

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: