Migrate SHA-1 to SHA-2 at F5 LB : impact on CDN & apps; sites that use CDN/clean pipe provider

When converting SHA-1 to SHA-2 (or SHA256) certs, will apps (eg: IIS, Apache, Oracle Web server,
iPlanet, Weblogic, apps developed using Java, Html/Html5, Flash player & .Net Framework) be affected?  
If so, how are they tested after converting to SHA-2, just by checking the apps' logs?

if a website goes thru CDN & I use IE to check (press Ctrl-V & then select  ...Security Report...), what's
shown as SHA256 is what the website's F5 LB show or what the CDN show or what the cert in the
web server show?   Ie what's shown by IE Security report is from the CDN, F5 LB or the web  server?

When migrating F5 LB's cert from Sha1 to Sha2, anything needs to be changed in the CDN?
Who is Participating?
David Johnson, CD, MVPOwnerCommented:
everywhere that has a cert must be updated to the new cert. The change will have no effect at your end (server) but some clients don't support sha-2
various certificate providers supply compatibility matrix's i.e.
btanExec ConsultantCommented:
A1. Mostly if you used SSL in the apps and web transaction which likely you will have, will be affected since the existing SSL certificate will need to be re-issued if it does not support SHA-2 yet (based on key usage, server authentication). After replacing the SSL certificate, you can check by visiting the site in your browser and viewing the certificate that the browser received. Generally if you click or right-click on the lock icon, there should be an option to view the new certificate details.

if it is reachable through public, then can also consider below online check

There is also the snipplet from Openssl if you use it. e.g.
openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"

A2. It will be from CDN as they are the first to front all HTTPS request. Typically the F5 LB likely be having the VIP having the SSL cert for your origin web server. With CDN, the latter will now front the SSL for the F5 LB. In short, the F5 SSL certificate will now be provisioned into the CDN edge server (at that point) for HTTPS request. The re-issuance of SSL certificate is required. Do not use the private key of your origin server to pass on to CDN edge server, it should be from the F5 CA per se to issue a new SSL cert. The CDN will establish SSL back to F5 LB - just like another client (similar to any browser) requesting HTTPS request for the web pages etc.

..Your browser will show SSL cert of CDN issued by the CA similar to the F5 SSL cert CA. Both are different SSL cert but client see the CDN and the latter see the F5 SSL. In fact, you can have CDN  issued by their own (contracted) CA but eventually it will need your F5 list of trusted CA to include the CDN CA (and any certificate bundle chain).  

A3. As mentioned in A2, besides the re-issuance of SSL cert and the necessary CA to be included the trusted root CA list. The remaining is going to the the validation but do have it tested in the CDN staging before going to live CDN production, if they provide such stages of testing. Testing of CDN to F5 is only required, there is no change on F5 to origin server. Do question the CDN team how long it need to propagate such changes to its backend and eventually to the edge server SSL store... Likewise on your test machine, clear your browser cache before testing ... you may want to re-validate the caching configured at CDN is as per normal
sunhuxAuthor Commented:
Last question:

Is there a quick way to tell if the cert is from the CDN or the F5 LB or the server ?

What I'm currently doing is to find out if a site's URL maps to a CDN (using whois.
domaintools.com).   Then I'll need to use openssl to poll the LB's VIP as well as
the web server's VIP : a 3 step process.

Will be nice if there's a freeware tool that could tell if the cert shown is from the
CDN, F5 LB or the server
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

btanExec ConsultantCommented:
You will not see it from SSL cert. Applies regardless if CDN exist.

Use httpwatch or fiddler for your http traffic to/fro the browser to the target URL. Note that
a) For CDN, traffic is directed (after DNS resolved, do a nslookup or dig) will have the original URL redirected to its CDN Edge server instead of the direct to the LB or Origin server.
b) For no CDN, traffic is as per any F5 VIP configured - in fact you will not know if a LB exist explicitly.

Maybe instead of SSL cert check for SHA-2, check the Target URL for its DNS "A" and "CNAME" recordset in the DNS server.
sunhuxAuthor Commented:
> check the Target URL for its DNS "A" and "CNAME" recordset in the DNS server
So what do we look for in the Dns 'A' and 'CName' recordset to tell us it's from
CDN or non-CDN?  Can provide an example?

What command do we issue to check the Dns 'A' and 'CName' recordset ?
Will be good if you could provide actual syntax/sample command
btanExec ConsultantCommented:
try using this with your URL e.g. www.example.com (select either A or CNAME or ALL)
alternatively the web version for dig is available online too below, likewise same to put in the hostname (domain).
David Johnson, CD, MVPOwnerCommented:
if you look at the url requested , now you can look in your dns settings
btanExec ConsultantCommented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.