This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SHA-2 certificate in SEC 5.5.0

Hi,
We have upgraded SEC from version 5.4.0 to 5.5.0 specifically to avail of the SHA-2 certificate used by the RMS components which was introduced in 5.4.1 as per KB article 125162.  However it looks like 5.5.0 is still using the old SHA-1 certificate. 

Does this mean we should have installed 5.4.1 first rather than going straight to 5.5.0?  Is there a way round this or do we need to uninstall 5.5.0 and install 5.4.1 (I really hope not!)  Or have I just missed something?

Thanks in advance,
Justin



This thread was automatically locked due to age.
Parents
  • Hello Justin,

    what means it looks like and where is it using the old SHA-1 certificate?

    we should have installed 5.4.1 first
    No, usually there aren't any upgrade path requirements (AFAIK there was only one and you simply couldn't make a "large jump" when upgrading).

    Christian

  • Hello Christian,

    The certificate is called cac.pem and is located in C:\ProgramData\Sophos\AutoUpdate\Cache on the endpoints.  A vulnerability scan is flagging it up hence wanting to replace it with the SHA-2 certificate.
    The KB article 125162 mentions SHA-2 signed certificates will be created by default in 5.4.1 but in 5.5.0 but they don't appear to be hence wondering if we needed 5.4.1.

    Thanks
    Justin

  • Hello Justin,

    ah, I see. Indeed mine is signed with MD5. The Sophos Enterprise Console 5.4.1 article does not mention cac.pem.
    cac.pem (in conjunction with mrinit.conf) is used only when RMS is installed. Subsequently RMS will refuse to apply changes to the configuration if the certificates don't match. This might be the reason that cac.pem isn't "upgraded" with a new hash on SEC upgrades. Anyway cac.pem isn't used for communication. Unfortunately I don't have a spare machine right now to test whether a fresh install (without migration the certificates) of SEC would create a SHA-2 cert.

    Christian 

  • Right, have been experimenting with various versions of SEC and come up with the following:

    Installing a fresh 5.4.0 and upgrading to 5.4.1 doesn't update the certificates to SHA2

    Installing a fresh 5.4.1 installs the SHA2 cetificates then upgrading this to 5.5.0 keeps those certificates

    Installing a fresh 5.5.0 installs an SHA1 certificate

    So to get an SHA2 certificate on the clients, it looks like we need a fresh 5.4.1 install then upgrade that to 5.5.0.  Have already done this on another machine and used this to push out the client to a couple of test machines that had the old MD5 cert, these were subsequently updated with the SHA2 certificate.  A bit of a faff but doable.  Hope this all makes sense!

    Will experiment a bit more then maybe migrate our clients to the SEC install with the SHA2 certificate, looks fairly straightforward, especially as we're using an MSSQL DB but we'll see.

    Thanks
    Justin

  • Hello Justin,

    kudos for your experimenting.

    Installing a fresh 5.5.0 installs an SHA1 certificate
    that's, err, interesting. That the certificate isn't upgraded is to some extent understandable. I'd have expected that all "fresh" installations of SEC 5.4.1.+ will use SHA2 when creating the certificate. Did you try to get some information or comment from Support? Dunno whom to contact in this Community - maybe could summon someone from the SEC team?

    fairly straightforward
    only if you can reprotect (or run a reinit script on) all your endpoints. It's a catch22 - endpoints will accept an updated certificate only from a trusted source, to make your new SEC trusted you'd have to import the old certificate ...

    Christian 

Reply
  • Hello Justin,

    kudos for your experimenting.

    Installing a fresh 5.5.0 installs an SHA1 certificate
    that's, err, interesting. That the certificate isn't upgraded is to some extent understandable. I'd have expected that all "fresh" installations of SEC 5.4.1.+ will use SHA2 when creating the certificate. Did you try to get some information or comment from Support? Dunno whom to contact in this Community - maybe could summon someone from the SEC team?

    fairly straightforward
    only if you can reprotect (or run a reinit script on) all your endpoints. It's a catch22 - endpoints will accept an updated certificate only from a trusted source, to make your new SEC trusted you'd have to import the old certificate ...

    Christian 

Children
No Data