Support Center > Search Results > SecureKnowledge Details
SHA-1 and SHA-256 certificates in Check Point Internal CA (ICA) Technical Level
Solution

Background

This article outlines Check Point versions that support SHA-256 certificates for SIC and for VPN.

In R77.X and lower versions, by default, the Internal CA (ICA) issues certificates based on the SHA-1 algorithm.

In R80.xx, by default, the SHA-256 signature algorithm signs the Internal Certificate Authority (ICA).

Certificates issued by the ICA inherit the same signature algorithm as the ICA certificate. For example, as long as the signature algorithm of the ICA certificate is SHA-1, all certificates issued by it have the SHA-1 signature algorithm. Even when SHA-256 signs the recreated ICA root certificate, old certificates issued by the old ICA root certificate stay with the SHA-1 signature algorithm.

Recreate old certificates if the signature algorithm of the ICA certificate is SHA-256 or higher. The same signature algorithm signs them.

How to Check the Signature Algorithm of ICA Certificates

Show / Hide this section
To see the hash algorithm of an ICA certificate:
  • On the Security Management Server, run this command in the Expert mode:
cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: | cpopenssl x509 -noout -text | grep "Signature Algorithm" 

  • On the Multi-Domain Security Management Server, run these commands in the Expert mode:

    • mdsenv <IP Address or Name of Domain Management Server>
    • cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: | cpopenssl x509 -noout -text | grep "Signature Algorithm"
If the hash algorithm is SHA-256, the output is:
Signature Algorithm: sha256WithRSAEncryption

How to Check the Signature Algorithm of SIC Certificates

Show / Hide this section
To see the hash algorithm of a SIC certificate:
  • On the Security Management Server, run this command in the Expert mode:
cpopenssl pkcs12 -in $CPDIR/conf/sic_cert.p12 -nokeys -nomacver -passin pass: | cpopenssl x509 -noout -text | grep "Signature Algorithm"

  • On the Multi-Domain Security Management Server, run these commands in the Expert mode:

    • mdsenv <IP Address or Name of Domain Management Server>
    • cpopenssl pkcs12 -in $CPDIR/conf/sic_cert.p12 -nokeys -nomacver -passin pass: | cpopenssl x509 -noout -text | grep "Signature Algorithm"

If the hash algorithm is SHA-256, the output is:
Signature Algorithm: sha256WithRSAEncryption

To learn more about Secure Internal Communication (SIC), refer to the Quantum Security Management R81.10 Administration Guide (chapter "Managing Gateways", section "Secure Internal Communication") 

How to Renew IKE Certificates with the SHA-256 Signature Algorithm

Show / Hide this section
  1. Make sure the ICA certificate signature algorithm is SHA-256 or higher. Refer to the section “How to check the Signature algorithm of ICA certificate?” above.
  2. Renew IKE certificates, follow the procedure in sk31539 - Security Management Server warns about expiring Security Gateway certificates during policy installation
Note: It is not necessary to recreate the VPN Site on Remote Access Clients because the Security Gateway's DN does not change.

How to Renew SIC Certificates with the SHA-256 Signature Algorithm

Show / Hide this section
  1. Make sure the ICA certificate signature algorithm is SHA-256 or higher. Refer to the section “How to check the Signature algorithm of ICA certificate?” above.
  2. Renew SIC certificates, refer to sk43783 - How to renew SIC certificate for Security Management Server / Multi-Domain Security Management Server.

Related Solutions: Notes:

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment