Skip to main content

Device Integrations without SHA-2 ECDSA Certificate Support

Introduction

Use this guide to create a workaround for integrations with devices (VPNs, Gateways, etc.) that do not support the SHA-2 infrastructure.

SecureAuth recently moved its cloud services and environment to SHA256 and away from SHA-1. Though still supporting SHA-1 integrations for now, per Microsoft's Security Recommendation, SHA-1 support will cease on January 1, 2017.

Not all vendors have enabled their products for SHA-2 support, and so this guide is to enable integrations with such devices to utilize SHA-1 certificates while still upholding the SecureAuth IdP SHA-2 infrastructure.

Applies to

SecureAuth IdP appliances version 8.1+, and / or SecureAuth IdP appliances post-ACRU and utilizing SHA-2 infrastructure

Devices (VPNs, Gateways, etc.) that do not support SHA-2 ECDSA Certificates

Notice

Ensure that the current SHA-1 CA Public Certificates (expiration March 30, 2017) are uploaded to the device for the integration

If this is an existing integration, then the certificates are likely already uploaded and no changes are required; if this is a new integration, then download and upload the MFA Root 3, MFC Issuer 3 Nevada, and MFC Issuer 3 Sierra certificates to the device (download the certificates from the SecureAuth CA Public Certificates page, in the SHA-1 Public Certificates tab)

Notice

For iOS or Android Mobile Realms that use PFX, the current SHA-1 Intermediate Certificates (Sierra and Nevada - expiration March 30, 2017) must be placed into the SecureAuth IdP Appliances Certificate store

The current SHA-1 MFA Root 3 certificate is also needed for proper operation and should already be present on the appliance, but SecureAuth recommends validating that this certificate is present in the trusted roots section of the certificate store

Download the certificates from the SecureAuth CA Public Certificates page, in the SHA-1 Public Certificates tab

SecureAuth IdP Configuration Steps

System Info

1. In the SecureAuth IdP Certificate Enrollment realms for devices that do not support SHA-2 ECDSA certificates, theCertificate URL in the WSE 3.0 / WCF Configuration section of the System Info tab must be changed to utilize SHA-1 certificates instead of SHA-2

If Certificate Use WSE 3.0 is set to True, then set the Certificate URL to http://cloud.secureauth.com/legacycertservice/cert.svc/msg

35913956.png

If the Certificate Use WSE 3.0 is set to False (using Proxy, for example), then set the Certificate URL to https://cloud.secureauth.com/legacycertservice/cert.svc

35913957.png

Warning

Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes

Note

The next required steps come in two forms: Manual and Automatic

For Manual, follow steps 2 - 4; for Automatic, utilize the SecureAuth Certificate Installer (Windows / Mac) to update SHA 1 Intermediate and Root Certificates in the SecureAuth IdP web.config files with the renewed SHA 1 certificates

Links

2. Select Click to edit Web Config file

35914021.png
Web Config Editor

3. Search for (CTRL + F orCMD + F)RootCert, and replace the<add key="RootCert" value="CERT" /> with the below code (RootCert Key Value)

35914045.png

4. Search for (CTRL + F or CMD + F) InterCert, and replace the <add key="InterCert" value="CERT" /> with the below code (InterCert Key Value)

35914022.png
RootCert Key Value
<add key="RootCert" value="MIIEATCCAumgAwIBAgIQSbISC8FA6KxOWeQbp7sjrTANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAcTBklydmluZTEpMCcGA1UEChMgTXVsdGktRmFjdG9yIEF1dGhlbnRpY2F0aW9uIEluYy4xHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMRMwEQYDVQQDEwpNRkEgUm9vdCAzMB4XDTA3MDMzMDIzNDMzMVoXDTE3MDMzMDIzNTIwNFowgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMQ8wDQYDVQQHEwZJcnZpbmUxKTAnBgNVBAoTIE11bHRpLUZhY3RvciBBdXRoZW50aWNhdGlvbiBJbmMuMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczETMBEGA1UEAxMKTUZBIFJvb3QgMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALS8HZLFf9z51Md7m53np7MOGuWYhkq7EvI/SnuKmLJkRW0Xi+yxHq9qSf9dDKrUkY2vY1bOj26MmmGhkRBFcYuSxcGk+SuuI8IZDwDis6YZdBuFXO2AOmlqivBPF84y1MAzhXqh8ZsmUzCoXNFgJSAbDdX0TPtqOKNWb2tyADLcZ9fmWxhwq46NLTNVxKEHCVFFDhETtI+A2zvkVTNzL5mKhqwWvAH7p86fugEAOmioIOXnVzeeWmeNMAfb3KQrcHUUB/0l7fPpeAE/cCpPhNWswkYd/0nHXOjcFpf44tsIq7XqTR2nc8ZQGawpX+Re5H2X820H/nNvBELwlEeYkAUCAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOb9IFp2VyytQ+gk2DiXFO0Km/m/MBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQCqpLCRhvOVjHEAw987A0SAC6RcVK73haBaqUaq2DM1sAf+9kF6DYlScWzYB3+ewXlFoF14EZYliJ4qmH0gIdPjH8Axjm64oI7uXd/X7T0VCpLydXW/le1pMRiqDjQ/zCdp7uwHUg7xBBLLR0pi0g9P9ulNQ1SVG5O2oXe2tu4ElJGi8a1VZ+mfaVypgT2zcNV4cJlgVRRk8d7BMafFXmhCLiiyl2+TKKB4mUa4Dkq7BpyRUBHPAJ3tIH36eslYAoi/xDc5eMzyhGAAdSj4ojOUSzaq6lwbwjoLnAzMD8uexcX05NAWO8BdPlBS7sJtJ8xJH14rQRHqFpQFaiF+vnWE,MIIHbzCCBVegAwIBAgIQI/QhpKIAQ5RAlGki8mrPjzANBgkqhkiG9w0BAQUFADCBzzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExHzAdBgNVBAoTFlNlY3VyZUF1dGggQ29ycG9yYXRpb24xOzA5BgNVBAsTMihjKSAyMDEyIFNlY3VyZUF1dGggQ29ycCAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEuMCwGA1UEAxMlU2VjdXJlQXV0aCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMjAzMDkwNjUyMzRaFw00MjAzMDkwNzAyMzJaMIHPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEfMB0GA1UEChMWU2VjdXJlQXV0aCBDb3Jwb3JhdGlvbjE7MDkGA1UECxMyKGMpIDIwMTIgU2VjdXJlQXV0aCBDb3JwIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMS4wLAYDVQQDEyVTZWN1cmVBdXRoIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqOoiAeCyzX4z7Xawh1uL9LrjTLhOME9ydZ7+baWYhbz//0/oxa9QTQEODmQUw0eXuc6YFvUZtrOm4+fms/A2if7UrE6mnZl1HrB30eUiorFlMelqGemtKhiiTK/Eleov/8GjpA69TaFxnF8vCdZyJLQZ6pFiW5sM+tP5vSd72+Hk38ps7moHkFmd3QcRy/9iY6PTo0pVs73galW+KG4EwlPWGY4Wlu/OPDX9hbLI0eS1baiHLitYp5pawxhynvvkeZRr+MkZN7ukOYc11hnSPIvX3ZKYKnnYUeqjzIWmDQdP0xBF/5pDwB64u1DIWgE3TNTOB+gDMrppGN80R9nTx1ibl/lQExwUVGyFUMYfV8L+vIBfaKyW8G1mT0cNGiTeXDX97P8j53Eqvl2GIEjUAhcUEAeCXpVhRnNfne8p1X0noxoKamn79TfPvnvUYzc3ync1+7yf0e24TSVUhEnRomjly4OAAJHfb0Tnxw5rLQW/1ICK1jGWMpfNE25DxCM3fH2CiQR6lyB6oVLjSAVbAUKfjy29BbVQqhtEdTloXNGVRoCL4YYqnMa7SeN5tITNkVxfLFz8FvUkzH8QIuJXO/rh1m+t3X6V3Gz43WnxUmdxzcIdPNN0MPbR9BDvRfY/XoIGWtJPgqC5V9gWQo6ORkIJqNu7gknU18uoqstKJWECAwEAAaOCAUMwggE/MAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRODBo1MytT+Wq3bXwu5u/O4s7yXTAQBgkrBgEEAYI3FQEEAwIBADCB7QYDVR0gBIHlMIHiMIHfBiArBgEEAYI3FQiC1IUbgabJTYeNmyaH99kbgoXiQwGDEjCBujB0BggrBgEFBQcCAjBoHmYAUwBlAGMAdQByAGUAQQB1AHQAaAAgAEMAbwByAHAAbwByAGEAdABpAG8AbgAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAFAAbwBsAGkAYwB5ACAAUwB0AGEAdABlAG0AZQBuAHQwQgYIKwYBBQUHAgEWNmh0dHA6Ly94NTA5Lm11bHRpZmFjdG9ydHJ1c3QzLmNvbS9DZXJ0SW5mby9Qb2xpY3kuYXNweDANBgkqhkiG9w0BAQUFAAOCAgEAmPb2uaGyAmnij1yspbgR7M5A+YMz1cTSd8dizrhtc7x+nstLSj+fNTqOoX+OBFbOBmL9o3ZxJBcezJ9KhEnCpuHy/Uq5P9AconW0X3dlpiWUt8WyLAi0x/WTsXn4FyhE2bH8MIf+m9VeXENbnwdnimUMSrq1ekrFu6WReEbdYvxbFmpH5MVt6t0YlFt/Ll7sNkZjmcKEsmf82Ci79a3fQh0XBVdZFrJGCiKKW8RD+s7luyOo9G52qiZN86uWCAQ96u1Wi1cygJN0acCdHcjGqBwgRXmouSH/OsUdPZo9b0xoX8174cEHJh9oFj8VRhYtuQoqou5I9UPYlTaGkZOJSCAxE/UBE6rNEi3E0yFACaadq8xGfQ1odaHQ48+vWsA5th5acbBL9SOgxH9nGnpHxsuofROf7wxiadi4Ty/JJtBxDN7tBw2Vc8B7r6teS5yVn4SPDPIcmnvzcJOShFz7HViHxZQbqHIcpVXiaR6hLOB7ksFZjOvQvvnJWtNDt811VudeB+ok6q6pAI2C2T2Zh4Wi7ZtC96pysvLv24j8Zf/iGwhhlqkHRbxr+TkIUCoY3P94qSUuROXmM5zG0GqZpd1IkAnoPqD28/M7kTc6Rcl3NCtaDV2AWHIRjIl94kGMS476/6+OhQmWiqQjjlyN5y6Q4uEAHIFkb7QfyW2tgoU=" />
InterCert Key Value
<add key="InterCert" value="MIIEuzCCA6OgAwIBAgIKYQdFYwAAAAAA3jANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAcTBklydmluZTEpMCcGA1UEChMgTXVsdGktRmFjdG9yIEF1dGhlbnRpY2F0aW9uIEluYy4xHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMRMwEQYDVQQDEwpNRkEgUm9vdCAzMB4XDTE0MDYyNDA2NTgyNFoXDTE3MDMzMDIzNTIwNFowODE2MDQGA1UEAxMtTUZDSXNzdWVyM05ldmFkYS5iYW5uZXIubXVsdGlmYWN0b3J0cnVzdDMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwMwbkrVESRfpNmHyrYTlN4AfSw+6AEJabvZ05R1bJTPNVOHtd/yrwwrUTLp5RxXiJh+EIPiIH3iixisIzBaPUQfuYxwBgqeVZPkUmXD243twn3ZlHSNHhFItE9s5UJQYVjy5wPMCs104qCJnt88TGhe9IE59qN7lEUCzwEbaXjag2n/oIOx6QQozP5tOJr6WidIqOfr9QMQjuplDK1FxeOGR6Cdf+yz1GTrZnwIyHrAhO5aZYyTiUXOMyLEnbKbnIhPaLDshQ5AGauk7dt52kUyGdMvcFz6NJGVVp8jHnEitfyksgHAmYPEqnu6h9Mf+fLcIYvZnKyIn75SCB/oCJwIDAQABo4IBajCCAWYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUMde0USejRa5/UeslLdbIrb2GdD4wCwYDVR0PBAQDAgGGMBAGCSsGAQQBgjcVAQQDAgECMCMGCSsGAQQBgjcVAgQWBBQCJ2xSPxp4Sf8BIIKafwam0C50LTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBTm/SBadlcsrUPoJNg4lxTtCpv5vzBOBgNVHR8ERzBFMEOgQaA/hj1odHRwOi8veDUwOS5tdWx0aWZhY3RvcnRydXN0My5jb20vQ2VydEluZm8vTUZBJTIwUm9vdCUyMDMuY3JsMGQGCCsGAQUFBwEBBFgwVjBUBggrBgEFBQcwAoZIaHR0cDovL3g1MDkubXVsdGlmYWN0b3J0cnVzdDMuY29tL0NlcnRJbmZvL21mYXJvb3QzY2FfTUZBJTIwUm9vdCUyMDMuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQCa9WIQvx0iIVpAjGz9e4CNF1BABovqFa/Y0CUHkTg4eehFWOVQiJxjwBm2FtgeEv975Np7YppQ/NBed/SJrITTGbY5GVDbCuUoAmIaa1T3T3z1ZY/mev+SOb5ySa8uhMXjV4lpSkmgMEbGLQ4xHePrnarm6wTS3S4zYLKWQJChgjZcibszs5gzoDd0wU+d4zkCROybEvlFFUriVxhUgQS32NpVjAO7HjV9ZZp5JGKp0VOcrMByemCvYIcvQU9VpXZ9w7ZcZBYTsRITkiiN1YCYpnScABKon+ARqs1hNu2nOhFurhWjJISBixCxDep37QBwcx75CPOjSaF+G2oXLo72,MIIEuzCCA6OgAwIBAgIKYR/TxAAAAAAA3TANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAcTBklydmluZTEpMCcGA1UEChMgTXVsdGktRmFjdG9yIEF1dGhlbnRpY2F0aW9uIEluYy4xHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMRMwEQYDVQQDEwpNRkEgUm9vdCAzMB4XDTE0MDYyMzA3MjkzM1oXDTE3MDMzMDIzNTIwNFowODE2MDQGA1UEAxMtTUZDSXNzdWVyM1NpZXJyYS5iYW5uZXIubXVsdGlmYWN0b3J0cnVzdDMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz91CInV7yMs9BBG/o857e7tvCQV92PvZiUn6aE1XJ8BdxDCXMiEQQ687UoYmZHtGEKNv4ZDQRUQ+NWllme9YXvH9nT9YuBNKID3fRc3ij0WrKxhxX0xTffvSrH1rGjjzDBldIFVEaabiCCbAJytBymsBVM9C4DVitR5CRObBdyc5C87Hy/Ik2s2vjy90oIsWsmvnUqfCnMVKcwXWmtTefnKdd+kyzS3U3QSHHeChL7U5mtY3afyJ8Im5O/F8G7nXxRn4E6dE/ZMs0DwroFnBgtoSvt1YNTHuB/2CwKqxFl9zR7TjvZ/YIf5prC9fRhEPNR09tDe3BgqhUZ3LeuJsLwIDAQABo4IBajCCAWYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUjN5rKU4Rir/Df13Uw/2yIm4jn68wCwYDVR0PBAQDAgGGMBAGCSsGAQQBgjcVAQQDAgECMCMGCSsGAQQBgjcVAgQWBBT2L4i4NZBfeW/DmledbQPiqKuomDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBTm/SBadlcsrUPoJNg4lxTtCpv5vzBOBgNVHR8ERzBFMEOgQaA/hj1odHRwOi8veDUwOS5tdWx0aWZhY3RvcnRydXN0My5jb20vQ2VydEluZm8vTUZBJTIwUm9vdCUyMDMuY3JsMGQGCCsGAQUFBwEBBFgwVjBUBggrBgEFBQcwAoZIaHR0cDovL3g1MDkubXVsdGlmYWN0b3J0cnVzdDMuY29tL0NlcnRJbmZvL21mYXJvb3QzY2FfTUZBJTIwUm9vdCUyMDMuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQA3XUzZAsABz8SFxwjKsIbBsfS3hupG3KR32qPD1QuRQvBGAYl4LNTeSBWlmvcYGesBOCVY/xGmIInTDuoYVxmoJQJppWoXdXOPNBctGzuKLlSIHBXS7fMaJdPrEWgtzJODejPHa9e48Y0MuK5EihQt595KGcsLhFJ4Antm6hdDNtirUDwamHYya+fyVKdJeSL/Lry/GGsKNG6PPxzWCQ6lqabxLxZH4OcS83S6YgHRF0H0rXpJCv9l1gWyIcb+xL8vEE/BN8tSMGlcc0rjicdmXlMszUQHIuXYIxwdNI4pub0bmpcsPSXBPJAPwK7rrudPRtaLRqbrjpA4gCBdbj0l" />

Warning

Click Save once the configurations have been changed and before leaving the Web Config Editor page to avoid losing changes

In this section: