Background
This article outlines Check Point versions that support SHA-256 certificates for SIC and for VPN.
In R77.X and lower versions, by default, the Internal CA (ICA) issues certificates based on the SHA-1 algorithm.
In R80.xx, by default, the SHA-256 signature algorithm signs the Internal Certificate Authority (ICA).
Certificates issued by the ICA inherit the same signature algorithm as the ICA certificate. For example, as long as the signature algorithm of the ICA certificate is SHA-1, all certificates issued by it have the SHA-1 signature algorithm. Even when SHA-256 signs the recreated ICA root certificate, old certificates issued by the old ICA root certificate stay with the SHA-1 signature algorithm.
Recreate old certificates if the signature algorithm of the ICA certificate is SHA-256 or higher. The same signature algorithm signs them.
How to Check the Signature Algorithm of ICA Certificates
Show / Hide this section
To see the hash algorithm of an ICA certificate:
- On the Security Management Server, run this command in the Expert mode:
cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: | cpopenssl x509 -noout -text | grep "Signature Algorithm"
- On the Multi-Domain Security Management Server, run these commands in the Expert mode:
mdsenv <IP Address or Name of Domain Management Server>
cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: | cpopenssl x509 -noout -text | grep "Signature Algorithm"
If the hash algorithm is SHA-256, the output is:
Signature Algorithm: sha256WithRSAEncryption
How to Check the Signature Algorithm of SIC Certificates
Show / Hide this section
To see the hash algorithm of a SIC certificate:
- On the Security Management Server, run this command in the Expert mode:
cpopenssl pkcs12 -in $CPDIR/conf/sic_cert.p12 -nokeys -nomacver -passin pass: | cpopenssl x509 -noout -text | grep "Signature Algorithm"
- On the Multi-Domain Security Management Server, run these commands in the Expert mode:
mdsenv <IP Address or Name of Domain Management Server>
cpopenssl pkcs12 -in $CPDIR/conf/sic_cert.p12 -nokeys -nomacver -passin pass: | cpopenssl x509 -noout -text | grep "Signature Algorithm"
If the hash algorithm is SHA-256, the output is:
Signature Algorithm: sha256WithRSAEncryption
How to Renew IKE Certificates with the SHA-256 Signature Algorithm
How to Renew SIC Certificates with the SHA-256 Signature Algorithm