SHA-1 and SHA-256 certificates in Check Point Internal CA (ICA)
This article outlines Check Point versions that support SHA-256 certificates for SIC and for VPN.
The Internal CA (ICA) issues certificates based on SHA-1 algorithm by default in R77.X and lower versions.
An administrator can change the default SHA algorithm used by the ICA by running the following command on the Security Management Server / Domain Management Server and selecting the desired algorithm:
[Expert@HostName]# cpca_client set_sign_hash <sha256 | sha384 | sha512>
Notes:
- The Security Management Server / Multi-Domain Security Management Server must run R71 or higher
- On Multi-Domain Security Management Server, the command has to be executed in the context of the relevant Domain Management Server (
# mdsenv <Name of Domain Management Server>)
The change will take effect from this point forward, for new certificates and for re-generated certificates.
The migration process for an entire environment can be done in the following way:
-
Renew the certificate for each involved Portal:
-
Re-issue the Security Gateway's certificates in the Security Gateway's object (go to the IPSec VPN pane)
-
Reset the SIC with Security Gateway per sk65764
-
There is no need to recreate the VPN Site on Remote Access Clients (because the Security Gateway's "DN" does not change)
Summary table:
| Check Point Product |
Support for SHA-256 certificates |
| Security Gateway, Security Management Server |
since R71 GA |
| 600 / 1100 / Security Gateway 80 appliance |
since R75.20 GA firmware |
| Endpoint Security Clients |
since E80 GA |
Remote Access Clients
- Endpoint Security VPN
- SecuRemote
- Check Point Mobile for Windows
|
since E75.20 |
| SecureClient NGX R60 and lower |
not supported |
|
UTM-1 Edge N / Industrial
Safe@Office 1000
|
since firmware 8.2.77 - refer to sk109147 |
Related solutions:
Notes:
-
In R80.xx environments, a Check Point Security Management Server functioning as the Log Server is not supported to be the OPSEC Server with vendors that are unable to support SHA256. Refer to sk109618.
-
Currently, there is no option to change the algorithm hash for ICA itself (ICA certificate / root certificate) to SHA-256.
When R77.X (and lower versions) Security Management Server was installed, the First Time Configuration Wizard created the CA database and a root CA certificate. This CA certificate has a 2048-bit RSA key and is self-signed with SHA-1.
-
This article does not apply to HTTPS Inspection. The certificate generated by the HTTPS Inspection Security Gateway (for outbound traffic inspections) is SHA-1 (in R77.20 and lower).
-
In sk103839, an enhancement was added that changes the signing algorithm of the HTTPS Inspection certificate to be identical to the signing algorithm of the server.
-
The SHA-256 support matrix above also applies to certificates generated by third-party CAs, not just the ICA.
-
Notes about R80 Management Server:
Starting from R80, the default signing algorithm of the Internal CA (ICA) was changed from SHA-1 to SHA-256 (Issue ID 01535193).
Environments with products that do not support SHA-256 must be manually configured to use SHA-1.
Using SHA-256 will cause connectivity failure in non-supporting products.
Upgrade scenario:
- Complete the upgrade process of the Management Server to R80.
- Immediately after the upgrade, on the R80 Management Server, run:
[Expert@HostName]# cpca_client set_sign_hash sha1
Clean Install Scenario:
- Complete the installation of the R80 Management Server and reboot.
- Immediately after the reboot, on the R80 Management Server, run:
[Expert@HostName]# cpca_client set_sign_hash sha1
[Expert@HostName]# cpca_client create_cert -n "cn=cp_mgmt" -f $CPDIR/conf/sic_cert.p12
[Expert@HostName]# cpstop
[Expert@HostName]# cpstart
- Proceed with the configuration of other machines in your environment.
Note: On R80 Multi-Domain Security Management Server, the command has to be executed in the context of the relevant Domain Management Server (# mdsenv <Name of Domain Management Server>).
