Showing results for 
Search instead for 
Did you mean: 
Post a Question

Migration to SHA256 for internal CA

Hey Guys. Just need a sanity check. Running R77.30 and our VPN Certificate is showing as using SHA1. I am looking at the SHA-1 and SHA-256 certificates in Check Point Internal CA (ICA) article.

It mentions Resetting SIC. Am I correct in assuming this is only if we wanted to re-generate the SIC certificate using SHA256? If we just simply wanted to re-generate the cert used for VPN this is not needed? So for instance all I would need to do is the following if I just wanted a SHA256 cert for VPN:

1. Run  cpca_client set_sign_hash sha256 on the mgmt box

2. Re-generate VPN certificate under each gateway

3. Install policy



0 Kudos
2 Replies

Re: Migration to SHA256 for internal CA

I believe you are correct.

The setting applies for NEW certificates generated going forward, not for existing ones.

Note that once you do this, you will not be able to generate new SIC certificates for gateways prior to version R71, which do not support SHA2 hashes.

Re: Migration to SHA256 for internal CA

Thanks! I will give it a shot and hopefully all goes well. 

0 Kudos