Thank you for your response.

julijan.klancnik · ‎04-14-2017

Hi there,

I had WSA with version 7.7.0-195 and was having troubles with certificates and SHA256/SHA1 as reported in BUG CSCur19653. I decided to upgrade to version 8.8.0-085 (the latest available from upgrade path from version 7.7.0-195). But the error from CSCur19653 remains on 8.8.0-085 also. Anybody knows which version I should use to overcome this problem?

cosmin.surghe · ‎04-24-2017

Hello Julijan,

I also encountered this behavior on our WSA (version 8.8.0-085) and I asked a TAC Engineer if bug #CSCur19653 is also affecting this version. Please find below the response I received from him:

Before 8.5.x versions, WSA generates self signed certificate and CSR with 1024 bit RSA key and SHA-1 support, however from 8.5.x version and onwards, the key length for SSL certificates generated or processed (both, self signed as well as CSR) by the appliance is 2048 bits.

From 8.5.2 version and onwards, we can generate self signed certificate with SHA-2 support however CSR will still be downloaded with SHA-1.

So if your appliance is at 8.8 and you are still experiencing the issue, you have to generate a new self signed certificate from WSA which will support SHA2.

In my case the issue disappeared after I upgraded our appliance to a higher version (we upgraded because there is no TLS support for v1.1 and 1.2 in AsyncOS version 8.8.0-085).

Regards.

julijan.klancnik · ‎04-25-2017

Thank you for your response.

Meanwhile I've upgraded my appliance to version 10.1.0-204.

In this version I do not have this issue anymore and this complies with your post also.

Thanks again for you post.

Regards, J

CSCur19653 - WSA certs being signed SHA1 with SHA256 CA - RSA