7021475: SMT 11: Procedure to change the CA Certificate’s Signature Algorithm from SHA1 to SHA256

IMPORTANT: the following procedure will remove and recreate the CA Certificate, hence all the Client systems already registered against the SMT must be re-registered to get the new certificate, it is a mandatory step.

First, verify and be sure that your current CA Certificate’s Signature Algorithm is SHA1:

# openssl x509 -in /var/lib/CAM/YaST_Default_CA/cacert.pem -text

You will have to see a line like this: “Signature Algorithm: sha1”

To change it to SHA256, edit the following file with the editor of your preference:

/var/lib/CAM/openssl.cnf.tmpl

Inside the file you will find multiple times the following configuration option:

default_md=sha1

Change all the above lines for:

default_md=sha256

Once finished, save the file and exit the editor.

And finally, you will have to delete the old CA certificate and create a new one with SHA256, by following all the steps of this TID:

NOTE: Do not deviate from the steps of the TID, follow it by the letter, using all the names for the Certificates and the SMT FQDN as described in it.

https://www.suse.com/support/kb/doc/?id=7006024

And again, because you are recreating the CA certificate, you will have to re-create the Server certificate too (as explained in the above TID) and also de-register and re-register all the Client systems to get the new certificates.

Related:

Leave a Reply