4 Replies Latest reply on Sep 21, 2016 2:39 AM by phoffmann

    Can the Core Certificate be changed to SHA2

    Apprentice

      We are using LDMS only.  9.6 sp2.  A company wide effort is in place to update all SHA1 certificates to SHA2.  Can this be done to the core certificates?  Will there be any impact if the server is upgraded to SHA 2?

        • 1. Re: Can the Core Certificate be changed to SHA2
          Frank Wils ITSMMVPGroup

          Hi,

           

          This is currently not supported. LANDESK uses self-generated certificates that have a SHA1 thumbprint and are SHA256 encoded. If you would like it to be different, you can create an ER in the Idea section.

           

          Frank

          1 of 1 people found this helpful
          • 2. Re: Can the Core Certificate be changed to SHA2
            phoffmann SupportEmployee

            ... to add a little extra information - we are working on bumping up the Core-side certs to SHA-2 (one reason being that most browsers & a bunch of vendors are effectively EOL'ing SHA-1 in 2017) ... but it's not a small amount of work.

             

            If things go as planned, it is hoped that this should be introduced / upgraded around the end of the year / early 2017.

             

            Assuming nothing goes wrong / other complications arise).

             

            It's not "just" a case of generating a cert with the new level - it involves touching / changing most comms ... so it's quite a large scale change.

             

            ADDENDUM / CLARIFICATION:

            • Please note that the above is true for LANDesk Management Suite 2016 (and later) only!
            • LANDesk Management Suite 9.6 is *NOT* likely to be modified in such a way, as it's already had its EOL announcement and is fading out. So it's unlikely to see this (very) considerable work effort.

             

            ... look at this as a strong driver to upgrade, potentially.

            • 3. Re: Can the Core Certificate be changed to SHA2
              Apprentice

              The SHA-1 phase out project manager at my company has some questions that I can probably answer, but I'd like to get a official LANDesk response,

               

              1) Will SHA2 be available by the end of the year? Our remediation deadline is the end of 2016

              2) What impact does this certificate have on the application?

              • 4. Re: Can the Core Certificate be changed to SHA2
                phoffmann SupportEmployee

                The hope / intention is to have SHA-2 by end of the year. "Stuff may happen" so that's not a cast-iron thing (if we keep having "fun" surprises with Windows Patches breaking the agent due to Microsoft's changes for instance, dev resources need to prioritise that first), but that's the hope / intention.

                 

                As for the second question ... I don't quite understand. Is the question where / how the agents use certificates? What effects you'd have if you'd remove / alter the certs yourself? Or - what exactly? A bit more specificity here would help.

                 

                If the question is - "what happens without the certs" - it's essentially a case of "you will NOT have any Core to client Comms" (as the Core authenticates & hand-shakes to the clients via certs). So they're pretty key to the whole comms trail for a start.

                 

                And then there's the "high security" www-service comms model, where clients have an individual cert with the Core ... so THAT way comms are also wrapped in certs. You can't just do without 'em.