SHA-2 certificate in SEC 5.5.0

Hello Justin,

what means it looks like and where is it using the old SHA-1 certificate?

we should have installed 5.4.1 first
No, usually there aren't any upgrade path requirements (AFAIK there was only one and you simply couldn't make a "large jump" when upgrading).

Christian

Hello Christian,

The certificate is called cac.pem and is located in C:\ProgramData\Sophos\AutoUpdate\Cache on the endpoints.  A vulnerability scan is flagging it up hence wanting to replace it with the SHA-2 certificate.
The KB article 125162 mentions SHA-2 signed certificates will be created by default in 5.4.1 but in 5.5.0 but they don't appear to be hence wondering if we needed 5.4.1.

Thanks
Justin

Hello Justin,

ah, I see. Indeed mine is signed with MD5. The Sophos Enterprise Console 5.4.1 article does not mention cac.pem.
cac.pem (in conjunction with mrinit.conf) is used only when RMS is installed. Subsequently RMS will refuse to apply changes to the configuration if the certificates don't match. This might be the reason that cac.pem isn't "upgraded" with a new hash on SEC upgrades. Anyway cac.pem isn't used for communication. Unfortunately I don't have a spare machine right now to test whether a fresh install (without migration the certificates) of SEC would create a SHA-2 cert.

Christian 

Right, have been experimenting with various versions of SEC and come up with the following:

Installing a fresh 5.4.0 and upgrading to 5.4.1 doesn't update the certificates to SHA2

Installing a fresh 5.4.1 installs the SHA2 cetificates then upgrading this to 5.5.0 keeps those certificates

Installing a fresh 5.5.0 installs an SHA1 certificate

So to get an SHA2 certificate on the clients, it looks like we need a fresh 5.4.1 install then upgrade that to 5.5.0.  Have already done this on another machine and used this to push out the client to a couple of test machines that had the old MD5 cert, these were subsequently updated with the SHA2 certificate.  A bit of a faff but doable.  Hope this all makes sense!

Will experiment a bit more then maybe migrate our clients to the SEC install with the SHA2 certificate, looks fairly straightforward, especially as we're using an MSSQL DB but we'll see.

Thanks
Justin

Hello Justin,

kudos for your experimenting.

Installing a fresh 5.5.0 installs an SHA1 certificate
that's, err, interesting. That the certificate isn't upgraded is to some extent understandable. I'd have expected that all "fresh" installations of SEC 5.4.1.+ will use SHA2 when creating the certificate. Did you try to get some information or comment from Support? Dunno whom to contact in this Community - maybe Bianson could summon someone from the SEC team?

fairly straightforward
only if you can reprotect (or run a reinit script on) all your endpoints. It's a catch22 - endpoints will accept an updated certificate only from a trusted source, to make your new SEC trusted you'd have to import the old certificate ...

Christian 

I have the same problem.  I'm running SEC 5.5.0 but all of our clients are still getting the SHA1 certificate.  Did anyone find a solution other than installing 5.4.1 and upgrading to 5.5.0 and then migrate the clients to the new server?  I'd like to just update the cert on the existing 5.5.0 server.

Hello B.Banner_Hulk,

all of our clients are still getting the SHA1 certificate
are you referring to the self-signed root certificate in cac.pem? As far as I can see the certificate in HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private\\pkc contains a 2048bit Public Key with a sha256RSA Signature. As mentioned above cac.pem isn't re-created or upgraded, you'd have to perform a clean (i.e. without exporting/importing the certificates) install and then reprotect or reinit the endpoints.
Can't say though whether 5.5.0 still incorrectly creates a SHA1 (if I have seen correctly the sec_550_sfx.exe has been changed since its initial release but I can't say what has been changed). It's not mentioned on the Known issues list.

Christian

Thanks.  Yes, I'm referring to the cac.pem file.  For now, we have configured the Windows Firewall on our endpoints to only accept connections on TCP 8192 and 8194 from the server IP.  This is enough for the scans to show clean.  It would be nice if there was a 5.5.1 patch to update cac.pem but it seems we'd have to migrate to a new server with a fresh 5.5.0 install?

Hello B.Banner_Hulk,

only accept connections [...] from the server IP
[:D]

a 5.5.1 patch to update cac.pem
it's not just updating it on the server, guess the endpoints would also have to "accept" this change. As it's issued with a 20 year validity it's apparently not supposed to change.

Christian

Hi Justin,

If you still need help regarding this issue -

We have a way to upgrade the certificate to SHA-2 if the older version is 5.4.0 instead of going for a fresh install.

As the steps are long, if you can open a service requested quoting this Thread we'll get you sorted.

Thanks,

Vikas