SHA-2 certificate in SEC 5.5.0

Hello Justin,

what means it looks like and where is it using the old SHA-1 certificate?

we should have installed 5.4.1 first
No, usually there aren't any upgrade path requirements (AFAIK there was only one and you simply couldn't make a "large jump" when upgrading).

Christian

Hello Christian,

The certificate is called cac.pem and is located in C:\ProgramData\Sophos\AutoUpdate\Cache on the endpoints.  A vulnerability scan is flagging it up hence wanting to replace it with the SHA-2 certificate.
The KB article 125162 mentions SHA-2 signed certificates will be created by default in 5.4.1 but in 5.5.0 but they don't appear to be hence wondering if we needed 5.4.1.

Thanks
Justin

Hello Justin,

ah, I see. Indeed mine is signed with MD5. The Sophos Enterprise Console 5.4.1 article does not mention cac.pem.
cac.pem (in conjunction with mrinit.conf) is used only when RMS is installed. Subsequently RMS will refuse to apply changes to the configuration if the certificates don't match. This might be the reason that cac.pem isn't "upgraded" with a new hash on SEC upgrades. Anyway cac.pem isn't used for communication. Unfortunately I don't have a spare machine right now to test whether a fresh install (without migration the certificates) of SEC would create a SHA-2 cert.

Christian 

Right, have been experimenting with various versions of SEC and come up with the following:

Installing a fresh 5.4.0 and upgrading to 5.4.1 doesn't update the certificates to SHA2

Installing a fresh 5.4.1 installs the SHA2 cetificates then upgrading this to 5.5.0 keeps those certificates

Installing a fresh 5.5.0 installs an SHA1 certificate

So to get an SHA2 certificate on the clients, it looks like we need a fresh 5.4.1 install then upgrade that to 5.5.0.  Have already done this on another machine and used this to push out the client to a couple of test machines that had the old MD5 cert, these were subsequently updated with the SHA2 certificate.  A bit of a faff but doable.  Hope this all makes sense!

Will experiment a bit more then maybe migrate our clients to the SEC install with the SHA2 certificate, looks fairly straightforward, especially as we're using an MSSQL DB but we'll see.

Thanks
Justin

Hello Justin,

kudos for your experimenting.

Installing a fresh 5.5.0 installs an SHA1 certificate
that's, err, interesting. That the certificate isn't upgraded is to some extent understandable. I'd have expected that all "fresh" installations of SEC 5.4.1.+ will use SHA2 when creating the certificate. Did you try to get some information or comment from Support? Dunno whom to contact in this Community - maybe Bianson could summon someone from the SEC team?

fairly straightforward
only if you can reprotect (or run a reinit script on) all your endpoints. It's a catch22 - endpoints will accept an updated certificate only from a trusted source, to make your new SEC trusted you'd have to import the old certificate ...

Christian 

Hello Justin,

kudos for your experimenting.

Installing a fresh 5.5.0 installs an SHA1 certificate
that's, err, interesting. That the certificate isn't upgraded is to some extent understandable. I'd have expected that all "fresh" installations of SEC 5.4.1.+ will use SHA2 when creating the certificate. Did you try to get some information or comment from Support? Dunno whom to contact in this Community - maybe Bianson could summon someone from the SEC team?

fairly straightforward
only if you can reprotect (or run a reinit script on) all your endpoints. It's a catch22 - endpoints will accept an updated certificate only from a trusted source, to make your new SEC trusted you'd have to import the old certificate ...

Christian