Upgrade Cartificate Authority (ROOT CA) from SHA1 to SHA2 (SHA256)
Upgrade
More text to come, comment for me to speed up 😀
Linux command for Centos 5 and Centos 7
Centos 7
if convert is needed (legacy)
Kopier vores mycert.cer fil til Linux (/tmp)
openssl x509 -inform der -in tv2b.cer -out tv2ca.pem (konverter den til pem)
cp /tmp/tv2ca.pem /etc/pki/ca-trust/source/anchors/tv2ca.pem (kopier den ind i trustet anchors for Linux)
update-ca-trust (If the certificate is in OpenSSL’s extended BEGIN TRUSTED CERTIFICATE format, place it in /etc/pki/ca-trust/source)
Efter skift til SHA256 var det IKKE nødvendigt at “convertere” ROOT CA til PEM, certificatet skulle blot omdøbes, nedenstÃ¥ende er komplet og herefter virkede det.
cp tv2b-ca_sha2.cer tv2b-ca_sha2.pem
cp /tmp/tv2b-ca_sha2.pem /etc/pki/ca-trust/source/anchors/tv2b-ca.pem
update-ca-trust
Centos 5
Kopier tv2b-ca.cer filen til /tmp på varnish serveren
omdøb den her til .pem
cp /tmp/tv2b-ca_sha2.cer tv2b-ca_sha256.pem
Tag backup at ca-bundles
cp /etc/pki/tls/certs/ca-bundle.crt /tmp/ca-bundle.bak
Append så pem filen til dit ca-bundle
cat /tmp/tv2b-ca_sha2.pem >> /etc/pki/tls/certs/ca-bundle.crt
Nu er det nye root crt trusted.
Additional links regarding the topic
http://ammarhasayen.com/2015/02/04/what-makes-a-ca-capable-of-issuing-certificates-that-uses-sha-2/
http://www.cusoon.fr/update-microsoft-certificate-authorities-to-use-the-sha-2-hashing-algorithm-2/
https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx
http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html