curious7
asked on
Procedure & considerations for RSA certificate change to SHA2
We are changing our certificate authority to SHA2 from SHA1.
Cert authority server has already been setup and now we are changing the crets for member servers and appliances.
As a result we need to change the certificates on our RSA authentication manager from SHA1 to SHA2.
What are the things to keep in mind before changing these certificates?
Do the end user computers need to trust the root CA for these certs?
And if RSA is used for 2 factor authentication on Citrix netscaler then does Citrix netscaler need to trust the root CA as well?
I found the following article to replace the web tier cert:-
https://rsa.jiveon.com/docs/DOC-64670
Do I also need to change the console and application trust certificates to SHA2?
Cert authority server has already been setup and now we are changing the crets for member servers and appliances.
As a result we need to change the certificates on our RSA authentication manager from SHA1 to SHA2.
What are the things to keep in mind before changing these certificates?
Do the end user computers need to trust the root CA for these certs?
And if RSA is used for 2 factor authentication on Citrix netscaler then does Citrix netscaler need to trust the root CA as well?
I found the following article to replace the web tier cert:-
https://rsa.jiveon.com/docs/DOC-64670
Do I also need to change the console and application trust certificates to SHA2?
ASKER
Hi Sam
No it is a internal CA.
And It is the first time I am doing the procedure on RSA device. So that is why need to check the requirements.
Thanks
Maneesh
No it is a internal CA.
And It is the first time I am doing the procedure on RSA device. So that is why need to check the requirements.
Thanks
Maneesh
You might want to get those certs from a publicly trusted CA. If you don't you will need to push out GPO's (assuming all end point devices are windows - linux it is trickier...) making the internal CA trusted globally. Once you do get a publicly trusted cert, then you will receive a chain cert and intermediate cert from that issuing authority that you can use on the RSA box/appliance. It will so much easier getting the publicly trusted cert vs the hours of work you will be constantly required to do to make the internal CA trusted.
The cost of a public certificate is negligible, so I would highly recommend as Nathan did to get them from a known CA. Especially if you also need to support Linux, iOS and/or Android devices.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If so, most computers already have the root CA for known CAs installed.
However, you probably need to also install new SHA2 intermediate certificates and link the new servers certificates to them.