sha1rsa Root CA
I have followed the manual about changing the SHA-1 TO SHA256.
But now i see that the root CA is still SHA1 and the APPTrust is SHA SHA256
Do i needed to change the Root CA to meet the apple ATS recommendations?
Do i have to do more about the Apple ATS requirements?
- Auth Manager
- Authentication Manager
- Community Thread
- Forum Thread
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
That KB article is all you need to do.
The root is not seen by the app.
What matters is, when you probe the IP and tcp port, what is the cert strength seen ?
But to be sure, this site can do the probe and tell you if you are good to go for Apple IOS.
NOTE: All 8.1 systems started life with SHA-1 built-in certs. If you upgrade these to 8.2, these certs remain SHA-1
If the 8.2 system started out as 8.2 and was not an upgrade from 8.1.x, then it's certs will be SHA-2.
So, for the systems that were upgrades, and the built-in certs are still SHA-1
you can upgrade the internal built-in certs to 256
and doing this will not interfere with any custom certs you may have installed.
This below is the same information from the KB you posted
[in 8.2 admin guide]
Run manage-ssl-cert to upgrade the internal built-in certificates to SHA-256.
./rsautil manage-ssl-cert --regen-internal-ca
then go to replica(s) with the primary-keystore.zip
./rsautil manage-ssl-cert --regen-internal-ca --keystore-zip primary-keystores.zip
Then restart the servers.
Edward Davis gave you the right answer but I want to be sure that if you do go to the SSL Server Test (Powered by Qualys SSL Labs) page, as he suggested, that you check the option "do not show the results on the boards," so that your server information is not posted publicly on the page.
You can check the cert strength with Openssl from just about any *nix machine,
and not use any 3rd party site.
Example: probe a site on port 443 for the cert
openssl s_client -connect mytoken.companyname.com:443 2>/dev/null | openssl x509 -noout -text
sha-1 result (much was snipped)
Version: 3 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Version: 3 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Thanks you very much for your quick responses guys!
I have change the cert's with ./rsautil manage-ssl-cert and now is my root CA still SHA1RSA but that's fine if i'm reading this right. the installation was a upgrade from 7 to 8.2 so i did need to change the certs.
Tomorrow i will try at the customer ssl check.
It did start with the reminder about the apple ATS from RSA