What versions of SafeGuard support SHA-256?

Because the SHA-256 algorithm for certificate signing introduces an increased level of security, you have to consider the interoperability with older SGN Clients prior to making the switch or you risk breaking communications between your client(s) and server due to incompatibilities.  

     Prior to making the switch from SHA-1 to SHA256, you will need to make sure that ALL of the following points are met or you will break client/server communications:

• ~ SafeGuard backend components (Server, Management Center & Database) are at v6.10 or higher.
• ~ Your Windows Server OS hosting SafeGuard backend is version 2008 R2 or greater.
• ~ ALL SGN client computers are at SGN v6.10 or greater.
• ~ ALL SGN client computers are running Windows OS version 7 SP1 or greater.

How do I change the hash algorithm from SHA-1 to SHA-256?

Self-Signed:

Changing the algorithm for self-signed certificates involves the following steps:

• Changing the hash algorithm
• Creating a Certificate Change Order (CCO)
• Creating a configuration package including the CCO
• Restarting the SafeGuard Enterprise database servers
• Distributing and deploying the configuration packages on the endpoints

For the full process please see Change algorithm for self-signed certificates.

Trusted CA:

Before moving to SHA256 you will need to make sure that your environment meets the following criteria otherwise you may end up with Client/Server communication issues:

• SafeGuard backend is 6.10 is higher (this includes the Server, Management Center and Database)
• You're running Windows Server 2008 R2 or higher
• All SGN clients are running SGN 6.10 and Windows 7 SP1 or higher

You do not need to install a new configuration package, after the change is made to SHA-256 in the Management Center the clients will collect the new certificate upon their next synchronization with the server. 

BigDog,

I just want to verify what you're saying in your last sentence: if all the above is true, after we upgrade the certificate on the back-end server, the clients will pull the new certificate, on their own, during the next synchronization? We don't have to manually push the certificates to the clients?

Thanks

Hello Brian,

     It will depend on which certificate you have.  A Self-Signed certificate will require a push of the new certificate via a new Client Client Config being created and pushed out to your clients.  A Trusted CA certificate will not require a new Client Config be created and pushed to your clients as the clients will pull the new certificate on next sync cycle.

     I have updated my original post to include both processes so that it is clear on how each certificate types are to be handled.

Hope this helps.

Regards,

~ BigDog88

Hello Brian,

     It will depend on which certificate you have.  A Self-Signed certificate will require a push of the new certificate via a new Client Client Config being created and pushed out to your clients.  A Trusted CA certificate will not require a new Client Config be created and pushed to your clients as the clients will pull the new certificate on next sync cycle.

     I have updated my original post to include both processes so that it is clear on how each certificate types are to be handled.

Hope this helps.

Regards,

~ BigDog88