Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 26 subscribers
  • Views 9489 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v16 SHA2 certificate issue

AndersK

After upgrading XG appliance from from v15 to v16 and regenerating the certificate authority as recommended, the new certificate still show a SHA1 thumbprint. Is there a different maneuver to generate a SHA2 certificate? 

I regenerated the certificate from: System Certificates Certificate Authorities > Regenerate Certificate Authority, and then downloaded the certificate from the same page.

Best regards, Anders



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lferrara

    This is from the document "Sophos XG Firewall v16.01.1 Staged Release – Release Notes" in XG Release 16.01.1.zip.

    "Behavior Changes / Known Behavior / Base System & Framework

    Certificate passphrase has been strengthened in SFOS v16, it is recommended to administrator regenerate the SSL CA certificate to use the strengthened passphrase on upgrading to SFOS v16 from v15. After regenerating the SSL CA, administrator will have to reinstall the new SSL CA in all client browser to avoid Certificate Error."

    I assumed this was the improved manual update process from SHA1 to SHA2 instead of the forced update in the 16.01.0 release. 

  • +1 in reply to AndersK

    Anders,

    you were right:

    https://community.sophos.com/kb/en-us/125267#related%20information1

    Sorry about that!

    On v16, SHA-256 has been implemented. CA uses already SHA-2 algorithm while ApplianceCertificate does not. Re-generating the appliance certificate from Certificates Menu did the trick.
    Now mine appliancecertificate is updated to SHA-2 algorithm.

    Make sure the CA is updated to SHA-2 and then regenerate all the certificates previously signed by Sophos CA.

  • 0 in reply to lferrara

    I was fooled by the thumbprint still showing SHA1 but the certificate is updated to SHA2. Great news! :)

    Thanks!