SHA 1 Appliance Certificate Update Procedure
Warning
Action required for SecureAuth IdP appliances using SHA 1 certificates
Issue
SecureAuth IdP appliances, versions pre-8.1.0 and issued before June 4, 2015 that have not undergone the Appliance Certificate Renewal Utility (ACRU) process must be updated with a SHA 2 appliance certificate before January 1, 2017 to avoid disruption with SecureAuth Cloud Services and modern browsers.
Per the Microsoft Technet Article, SHA 1 based SSL certificates are deemed insecure and will be blocked by modern browsers starting February 2017.
SecureAuth strongly encourages customers to replace all SHA 1 based certificates, including the appliance certificate, personal certificates, and the IIS binding certificate installed on SecureAuth IdP appliance(s) no later than December 2016 to avoid a lapse in SecureAuth Cloud Services support and to meet the latest security advisory standards and timelines.
 |
Go the the System Info tab of the Admin Realm (SecureAuth0), and look in the WSE 3.0 / WCF Configuration section
If the URL fields utilize the http://x509.multifactortrust3.com Fully Qualified Domain Name (FQDN), then the appliance is still running SHA 1
Notice
Appliances running SHA 2 utilize the https://cloud.secureauth.com or https://us-cloud.secureauth.com FQDN
Consequences
Failure to update the appliance(s) with SHA 2 certificates results in disruption of SecureAuth Cloud Services, which include:
Certificate-based Authentication – Integrations utilizing X.509 certificate validation will cease to function
Push Services – Push Notifications and Push-to-Accept multi-factor methods will cease to function
SMS Services – One-time passwords (OTPs) will not be delivered via SMS / text message for authentication
Telephony Services – OTPs will not be delivered via phone call for authentication
Warning
These services will continue to malfunction until the appliance certificate is upgraded to SHA 2
Resolution
SecureAuth strongly recommends to update the appliance(s) with SHA 2 certificates as soon as possible, which is a very simple process. Contact SecureAuth Support to schedule an appointment to run ACRU on the required appliance(s) to avoid service disruptions and to ensure that the appliance(s) is running as expected.
Tip
If the appliance(s) is integrated with VPNs, Gateways, and other products that utilize certificate-based authentication, then alert the SecureAuth Support Engineer to ensure proper updates are made to the configuration.