Skip to Content

SHA-1 -->SHA-2

What are folks doing to move from SHA-1 to SHA-2?

It looks like the IE browser will error with sha-1 certs next year and Chrome will give a warning message.

Higher-ups are asking about the need to move to sha-2 (sha256).

We have implemented NWSSO-2 with the saplogon client and secure logon server for SAPGUI , java and ABAP- WAS. We're creating our own certs, no CA's.

I can see the local and server certs are all sha-1, except the MS cert (sha256) that is on the client side used with the ADS server.

I'm not seeing any docs on how to generate the sha256 certificate; is this supported by NWSSO-2?

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • Posted on Jun 23, 2016 at 06:48 AM

    Hi Chris,


    Secure Login Server supports the creation of SHA-2 certificates.


    You should see a drop down list in User Certificate Configuration > User Certificate Properties > Signature Algorithm, providing SHA-1 and several SHA-2 with RSA.


    Refer to the Thread below:

    Secure Login Server and SHA256-based certificates | SCN


    Cheers,

    Filipe Santos

    Add a comment
    10|10000 characters needed characters exceeded

    • Thanks for your response Filipe.

      Excuse my ignorance but I don't think I'm looking in the correct place.

      I'm in the Secure Login Administration Console (slac) -->Certificate Management.

      I'm suspecting that I need to upgrade; I'm on version 2.0, SP 3, patch 0.

      Chris

  • Posted on Jun 23, 2016 at 07:47 AM

    Hi Chris, I think your detailed question was answered by Filipe.

    But I would like to discuss how far deprecation of SHA1 by MS, Google and others will go.

    Of what I read the deprecation will only hit certificates of CAs that are rolled out from Microsoft. So this would not hit self signed certificates and certificates of private CAs. But I don't feel sure about this. I cannot find anybody currently who feels sure about this. What do you think?

    Regards,

    Lutz

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jul 15, 2016 at 03:23 PM

    2.04 is where this where this option appears. We upgraded to 2.06 and it works fine- can specify sha256 on server and see the new sha256 certs being accepted on client.

    Follow-up question: do we need to update the back-end server certs that are signed sha-1?

    We can SSO into ABAP and WAS, Java...with the back-ends still using sha-1 now. I'm a bit concerned that the Java and WAS with IE will be an issue in the future.

    Add a comment
    10|10000 characters needed characters exceeded

    • Chris Grogan Marcus Quintino Kuhnen

      Thanks Marcus.

      We also noticed a few things with the back-ends.

      The process recommended to recreate the backend cert to sha256 did NOT work for us (kept sha-1 sign)- we're guessing because we originally created them using Secude.

      The browser when connecting to the WAS/Portals checks your client cert (sha256 now) as well as the backend cert.

      For the WAS(icm), Chrome issues a warning on SHA-1 and the 2017 expiration date; interestingly, IE gives no warnings or errors.

      We created a sub cert to the sha-1 ca on SLS server as type SSL Server and specified sha256 and imported into ABAP SSL- this worked fine: resolved the chrome warnings.

      For the portal we have the same warnings with chrome, but it looks like the backend cert has to be a root ca. It appears the Portal just creates a trust: nwa-->configuration-->ssl-->Trusted CA's is where we see the sha-1 CA from the SLS server. So it looks like we need to replace the root ca (to sha256) on SLS just for the Portal?

      My understanding replacing the SLS root ca- (creating with sha256) will break everything unless we call it the same as the sha-1 previous but we can't do that until everyone is off this sha-1 root ca . Is this correct?

      What's the recommended plan to migrate the DEV/QAS and then PRD systems to sha256 if all these systems use the same SLS? Is there an approach besides a big bang?

      Sorry- lots of questions, hope someone can guide us. We do have a ticket in with support as well as we are looking for some guidance.

      Thanks,

      Chris

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.