Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sijeel
Contributor

Changing certificate hash to sha-256 and length tp 2048

Hi Experts


We have recently upgraded for mgmt servers from r77.30 to r80.30  and its my understanding that the default signing algorithm of the Internal CA (ICA) was changed from SHA-1 to SHA-256.I have already gone through the SK103840 and its more about changing the default SHA algorithm from sha-1 to sha-256 used by the ICA to issues certificates in R77.30 or reverse from sha-256 to sha-1 in R80.30.


1. So from this point forward, for new certificates and for re-generated certificates the hash will be SHA-256. Our manager is already on R80.30 so the default signing algorithm of the Internal CA (ICA)  is sha-256. So any new cert or renewed cert will be issued with sha-256. Is that correct ?

2. How can we change the algorithm hash for ICA itself (ICA certificate / root certificate) to SHA-256. In R77.30 it was not possible but is it possible in R80.30 ?

3.Also i had a query about how to change default key length size of the mgmt server and gateway to 2048-bit ? Will this be done when we renew the certs ?

Regards,
Sijeel Malik

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

The only way to change the ICA certificate to sha-256 is to completely reset SIC using fwm sic_reset.
This is quite disruptive, which is why it’s not done by default.

0 Kudos
Sijeel
Contributor

Hi

So in order to change the ICA cert to sha-256 we us the fwm sic_reset command that will delete all the cert issued and the recreate the ICA.

 

So  how to change default key length size of the mgmt server and gateway certs to 2048-bit

 

Sijeel

 

 

0 Kudos
PhoneBoy
Admin
Admin

2048-bit is the default (has been since R77), but if you want to change it: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos