Need SHA-1 Certs


#1

My company has an older Cisco mesh network in need of new certs, but the APs only support SHA-1. We don’t want to update these devices because sometime next year we plan on upgrading all of them to Ruckus.

No CAs are offering SHA-1s. I’m at a loss on what I can do. Can I make SHA-1 certs with this tool? If not, does anybody here have a recommendation for how I can get some?

Thanks


#2

Publicly-trusted CAs are not allowed to issue SHA-1 certificates; that includes Let’s Encrypt. They would risk being distrusted by browsers if they ignore this (see the WoSign story quite recently).

Depending on your use-case (and assuming you have no way to expedite the migration to devices that support SHA-2), you basically have two options:

  • Use self-signed certificates or an internal CA. openssl will happily produce a SHA-1 certificate.
  • Some CAs offer SHA-1 certificates issued under roots that have originally been publicly-trusted, but have since been removed from root programs and are not in scope for the rules that prevent SHA-1 issuance anymore. I know Comodo does this, and there might be others. I’m not sure whether they offer this to the general public or just at a certain enterprise client level (one company they do this for is Cloudflare, for example). Note that these certificates would not be trusted by any up-to-date browsers - not sure if this matters for your use-case. In fact, most browsers will stop trusting SHA-1 certificates entirely starting in January/February.

#3

@rannday, @pfg is quite right that we’re not allowed to issue these certificates from our intermediate. Do you have the ability to add additional root certificates to your equipment? (Do they have some kind of management interface that lets you edit their CA trust list?) If so, you could make your own private root and issue SHA-1 certificates under it, and tell your APs to trust that root.

Among other possibilities, the openssl command can do this; I think learning about that should take somewhere between 30 minutes and 12 hours, depending on your prior level of experience with certificates and system administration.


#4

I"m going to research setting up our own CA. This is our only option, I’m afraid. By the time we got done updating all the APs firmware, it’ll probably be time to start replacing them with Ruckus.

Going to use this guide - https://jamielinux.com/docs/openssl-certificate-authority/

Thanks for your help!


#5

hi rannday

if you are using microsoft then you can use the active directory certificate services.

NOTE: one of the things about using an internal CA is the need to distribute their intermediates.

Microsoft gives you a way to distribute these via AD


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.