cancel
Showing results for 
Search instead for 
Did you mean: 
web1b
Level 7

Default ePO 5.3.2 SSL Certificate is SHA-1. How to upgrade to SHA-2?

Jump to solution

I noticed the provided certificate is SHA-1 and all browsers will start warning that this is obsolete and not secure or even blocking access starting in a couple months.

How do we get this changed to SHA-2?

0 Kudos
1 Solution

Accepted Solutions
twenden
Level 13

Re: Default ePO 5.3.2 SSL Certificate is SHA-1. How to upgrade to SHA-2?

Jump to solution

It appears that McAfee will be addressing this in a new ePO release 5.9 which is slated for Jan 2017. This is the same time that SHA-1 will be no longer valid. Does not give a lot of time for testing.

What we did in our environment was to configure a third party SSL cert thru InCommon. Another issue is with the agent to server commnication. I believe that agent 4.8x is using SHA-1 and is designed that way. They won't be upgrading agent 4.8.x to support SHA-2. You will need to make sure all your ePO agents are using agent 5.x as they use SHA-2.

See the article below.

McAfee KnowledgeBase - ePolicy Orchestrator Sustaining Statement (SSC1510301) - ePolicy Orchestrator...

0 Kudos
4 Replies
twenden
Level 13

Re: Default ePO 5.3.2 SSL Certificate is SHA-1. How to upgrade to SHA-2?

Jump to solution

It appears that McAfee will be addressing this in a new ePO release 5.9 which is slated for Jan 2017. This is the same time that SHA-1 will be no longer valid. Does not give a lot of time for testing.

What we did in our environment was to configure a third party SSL cert thru InCommon. Another issue is with the agent to server commnication. I believe that agent 4.8x is using SHA-1 and is designed that way. They won't be upgrading agent 4.8.x to support SHA-2. You will need to make sure all your ePO agents are using agent 5.x as they use SHA-2.

See the article below.

McAfee KnowledgeBase - ePolicy Orchestrator Sustaining Statement (SSC1510301) - ePolicy Orchestrator...

0 Kudos
web1b
Level 7

Re: Default ePO 5.3.2 SSL Certificate is SHA-1. How to upgrade to SHA-2?

Jump to solution

This is surprising that they waited so long to address this that there is no fix until the same month SHA-1 is EOL. It's possible that 5.3.9 will not be released on time or will be rushed to be released and have serious bugs.

The link you posted doesn't mention anything about adding other certificates to ePO 5.3.2 as a workaround.

You said a third party cert can be used with 5.3.2.  I've never heard of InCommon.  Can we get SSL certificates from Symantec or GoDaddy etc.(or use our own internal PKI) and apply it ePO 5.3.2 now so we are not in a mad scramble to upgrade to 5.3.9 in January?  If so, how do we do this?

We will be updating all agents from 4.8 to 5.0.4 this month.

0 Kudos
twenden
Level 13

Re: Default ePO 5.3.2 SSL Certificate is SHA-1. How to upgrade to SHA-2?

Jump to solution

Below is a link on how to use a third party certificate.

McAfee KnowledgeBase - How to generate a custom SSL certificate for use with ePolicy Orchestrator us...

Yes, you should be able to use a certificate from any third party like godaddy. We use InCommon which is used by Education.

0 Kudos
web1b
Level 7

Re: Default ePO 5.3.2 SSL Certificate is SHA-1. How to upgrade to SHA-2?

Jump to solution

It looks like you have provided the "correct" answer for this, but the solutions are all bad.  I don't know how McAfee waited so long to address this natively.  The SHA-1 deprecation schedule has been known for a very long time.  This should not have been put off so long as to only be scheduled to be fixed in January 2017.

As for doing the workaround of using our own or a third party certificate with 5.3.2,  it looks really messy and prone to error.  I can't even find the Windows installer for the OpenSSL Tool Kit.

We probably will not be able to get this done unless we can open a case and get a remote session to walk us through the process.

0 Kudos