Support Center > Search Results > SecureKnowledge Details
SHA-1 and SHA-256 certificates in Check Point Internal CA (ICA)
Solution

This article outlines Check Point versions that support SHA-256 certificates for SIC and for VPN.

The Internal CA (ICA) issues certificates based on SHA-1 algorithm by default in R77.X and lower versions.

An administrator can change the default SHA algorithm used by the ICA by running the following command on the Security Management Server / Domain Management Server and selecting the desired algorithm:

[Expert@HostName]# cpca_client set_sign_hash <sha256 | sha384 | sha512>

Notes:

  • The Security Management Server / Multi-Domain Security Management Server must run R71 or higher
  • On Multi-Domain Security Management Server, the command has to be executed in the context of the relevant Domain Management Server (# mdsenv <Name of Domain Management Server>)

The change will take effect from this point forward, for new certificates and for re-generated certificates.

The migration process for an entire environment can be done in the following way:

  1. Renew the certificate for each involved Portal:

    • If auto-generated certificates are used for Portals:

      1. In SmartDashboard, open the Security Gateway's object
      2. Go to the IPSec VPN pane
      3. In the "Repository of Certificates Available to the Gateway" section, select the certificate
      4. Click on the "Renew..." button and follow the instructions on the screen
    • If certificates from a 3rd-party CA are used for Portals:

      1. Renew the certificate for each involved Portal according to the way in which the certificate was generated by the 3rd-party CA
      2. In SmartDashboard, open the Security Gateway's object
      3. Go to the relevant Portal's pane
      4. Import the renewed 3rd-party CA certificate
  2. Re-issue the Security Gateway's certificates in the Security Gateway's object (go to the IPSec VPN pane)

  3. Reset the SIC with Security Gateway per sk65764

  4. There is no need to recreate the VPN Site on Remote Access Clients (because the Security Gateway's "DN" does not change)

 

Summary table:

Check Point Product Support for SHA-256 certificates
Security Gateway, Security Management Server since R71 GA
600 / 1100 / Security Gateway 80 appliance since R75.20 GA firmware
Endpoint Security Clients since E80 GA
Remote Access Clients
  • Endpoint Security VPN
  • SecuRemote
  • Check Point Mobile for Windows
since E75.20
SecureClient NGX R60 and lower not supported

UTM-1 Edge N / Industrial

Safe@Office 1000

since firmware 8.2.77 - refer to sk109147

 

Related solutions:

 

Notes:

  • In R80.xx environments, a Check Point Security Management Server functioning as the Log Server is not supported to be the OPSEC Server with vendors that are unable to support SHA256. Refer to sk109618. 

  • Currently, there is no option to change the algorithm hash for ICA itself (ICA certificate / root certificate) to SHA-256.
    When R77.X (and lower versions) Security Management Server was installed, the First Time Configuration Wizard created the CA database and a root CA certificate. This CA certificate has a 2048-bit RSA key and is self-signed with SHA-1.

  • This article does not apply to HTTPS Inspection. The certificate generated by the HTTPS Inspection Security Gateway (for outbound traffic inspections) is SHA-1 (in R77.20 and lower).

  • In sk103839, an enhancement was added that changes the signing algorithm of the HTTPS Inspection certificate to be identical to the signing algorithm of the server.

  • The SHA-256 support matrix above also applies to certificates generated by third-party CAs, not just the ICA.

  • Notes about R80 Management Server:

    Starting from R80, the default signing algorithm of the Internal CA (ICA) was changed from SHA-1 to SHA-256 (Issue ID 01535193).

    Environments with products that do not support SHA-256 must be manually configured to use SHA-1.
    Using SHA-256 will cause connectivity failure in non-supporting products.

    Upgrade scenario:

    1. Complete the upgrade process of the Management Server to R80.
    2. Immediately after the upgrade, on the R80 Management Server, run:
      [Expert@HostName]# cpca_client set_sign_hash sha1

    Clean Install Scenario:

    1. Complete the installation of the R80 Management Server and reboot.
    2. Immediately after the reboot, on the R80 Management Server, run:
      [Expert@HostName]# cpca_client set_sign_hash sha1
      [Expert@HostName]# cpca_client create_cert -n "cn=cp_mgmt" -f $CPDIR/conf/sic_cert.p12
      [Expert@HostName]# cpstop
      [Expert@HostName]# cpstart
    3. Proceed with the configuration of other machines in your environment.

    Note: On R80 Multi-Domain Security Management Server, the command has to be executed in the context of the relevant Domain Management Server (# mdsenv <Name of Domain Management Server>).

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment