Documentation

 

 

SecureAuth's SHA 1 Root Certificate Authority (CA) Certificate, MFA Root 3, expires March 30, 2017. Appliances, devices, workstations, and anything else using the certificate must be updated prior to the expiration to continue using SecureAuth's certificate services.

Need to Know

SecureAuth has moved its infrastructure to SHA 2, as SHA 1 is no longer deemed secure. With that, only SHA 2 certificates are being issued, and the SHA 1 Root CA MFA Root 3, which is utilized to issue certificates for certificate-based authentication, expires on March 30, 2017.

  • If SecureAuth IdP appliances have not been updated to SHA 2, then that action must be completed first (see Scenario 1 below for more information), followed by uploading the latest certificates to IdP, VPNs, workstations, etc. and updating the IdP configuration
  • If SecureAuth IdP appliances have been updated to SHA 2, but the SHA 1 certificates are still in use, then the SHA 1 certificates must be replaced with the latest certificates and the latest IdP configuration (see Scenario 2 below for more information)
  • If SecureAuth IdP appliances have been updated to SHA 2 and no SHA 1 certificates are in use, then SecureAuth recommends that the latest certificates be uploaded to IdP, VPNs, workstations, etc. as a best practice (see Scenario 3 below for more information)

In the past, not all environments could be updated with SHA 2 certificates due to VPNs and other devices not supporting SHA 2 ECDSA (512) certificates; however, the latest certificate bundle includes SHA 2 RSA (384) certificates, which can be uploaded to those devices to enable a working relationship with SecureAuth IdP's SHA 2 Root CAs.

The SecureAuth ECDSA certificates are still supported for those customers that have already updated their environments.

Failure to update SecureAuth IdP appliances to point to the SHA 2 enrollment endpoints and other devices with SHA 2 certificates will result in disruption of any certificate-based authentication, as of March 30, 2017.

Scenarios & Instructions

Select the scenario that best describes the SecureAuth IdP environment:
 

Scenario 1: SecureAuth IdP has not been updated to SHA 2 infrastructure

This scenario applies only to customers that have SecureAuth IdP versioned pre-8.1 and have not already run ACRU to update the appliance(s) to SHA 2

1. Contact SecureAuth Support to run the Appliance Certificate Renewal Utility (ACRU) on the SecureAuth IdP appliance(s)

2. Upload the latest SecureAuth IdP certificates (Root and Intermediates) to their respective certificate stores on the appliance(s)

G3Certs.zip and G3Certs_2.zip downloaded here

3. In the System Info tab of the certificate enrollment realm(s), update the Certificate URL in the WSE 3.0 / WCF Configuration section

A If VPNs / Devices Support ECDSA and Certificate Use WSE 3.0 = True

http://cloud.secureauth.com/certservice/Cert.svc/msg

B If VPNs / Devices Support ECDSA and Certificate Use WSE 3.0 = False

https://cloud.secureauth.com/certservice/Cert.svc

C If VPNs / Devices DO NOT Support ECDSA and Certificate Use WSE 3.0 = True

http://nge-cloud.secureauth.com/certservicersa/Cert.svc/msg

D If VPNs / Devices DO NOT Support ECDSA and Certificate Use WSE 3.0 = False

https://nge-cloud.secureauth.com/certservicersa/Cert.svc

For configuration D, Port 443 must be open for nge-cloud.secureauth.com to enable certificate enrollment from the endpoint

 

A

B

C

D

4. Update the web.config file in the certificate realm(s) with the relevant Root and Intermediate Certificate BLOBs

VPNs / Devices Support ECDSAVPNs / Devices DO NOT Support ECDSA
Copy the SecureAuth G3 Root Certificate Authority Key Value (SHA2-512 ECDSA), and download the SHA2-512 ECDSA InterCert Key Value file here (bottom of page)Copy the SecureAuth G3 Root Certificate Authority 2 (SHA2-384 RSA) Key Value, and download the SHA2-384 RSA InterCert Key Value file here (bottom of page)

Search for <add key="RootCert" and replace the value with the new, relevant Root Cert BLOB

Search for <add key="InterCert" and replace the value with the new, relevant Intermediate Cert BLOBs

 

5. Upload the relevant Root and Intermediate certificates to VPNs and other devices

VPNs / Devices Support ECDSAVPNs / Devices DO NOT Support ECDSA
Download the G3Certs.zip here, and upload the certificates to VPNs / devicesDownload the G3Certs_2.zip here, and upload the certificates to VPNs / devices

6. Push out the same Root and Intermediate certificates used in step 5 to user workstations via GPO / software distribution

If the certificates cannot be pushed out via GPO / software distribution, then employ SecureAuth's Certificate Installer (Windows / Mac)

7. Have users re-enroll for certificates

Scenario 2: SecureAuth IdP has been updated to SHA 2 infrastructure, but SHA 1 certificates still in use

This scenario applies only to customers that have SecureAuth IdP versions 8.1+ or pre-8.1 versions that have been updated to SHA 2, but that still utilize SHA 1 certificates

Typically, the certificates were not updated due to VPNs and devices not supporting SHA 2 ECDSA certificates; but now SecureAuth provides SHA 2 RSA certificates that are supported by those products

1. Upload the latest SecureAuth IdP certificates (Root and Intermediates) to their respective certificate stores on the appliance(s)

G3Certs.zip and G3Certs_2.zip downloaded here

2. In the System Info tab of the certificate enrollment realm(s), update the Certificate URL in the WSE 3.0 / WCF Configuration section

A If VPNs / Devices Support ECDSA and Certificate Use WSE 3.0 = True

http://cloud.secureauth.com/certservice/cert.svc/msg

B If VPNs / Devices Support ECDSA and Certificate Use WSE 3.0 = False

https://cloud.secureauth.com/certservice/cert.svc

C If VPNs / Devices DO NOT Support ECDSA and Certificate Use WSE 3.0 = True

http://nge-cloud.secureauth.com/certservicersa/cert.svc/msg

D If VPNs / Devices DO NOT Support ECDSA and Certificate Use WSE 3.0 = False

https://nge-cloud.secureauth.com/certservicersa/cert.svc

For configuration D, Port 443 must be open for nge-cloud.secureauth.com to enable certificate enrollment from the endpoint

 

A

B

C

D

For SecureAuth IdP 9.0.0+ appliances, or appliances that have undergone ACRU Lite process, if the VPNs / devices do not support ECDSA certificates, then use either the C or D endpoint; but if the products do support ECDSA and the current endpoints are for us-cloud, then set the endpoint as follows:

 

If VPNs / Devices Support ECDSA and Certificate Use WSE 3.0 = True

http://us-cloud.secureauth.com/certservice/cert.svc/msg

If VPNs / Devices Support ECDSA and Certificate Use WSE 3.0 = False

https://us-cloud.secureauth.com/certservice/cert.svc

3. Update the web.config file in the certificate realm(s) with the relevant Root and Intermediate Certificate BLOBs

VPNs / Devices Support ECDSAVPNs / Devices DO NOT Support ECDSA
Copy the SecureAuth G3 Root Certificate Authority Key Value (SHA2-512 ECDSA), and download the SHA2-512 ECDSA InterCert Key Value file here (bottom of page)Copy the SecureAuth G3 Root Certificate Authority 2 (SHA2-384 RSA) Key Value, and download the SHA2-384 RSA InterCert Key Value file here (bottom of page)

Search for <add key="RootCert" and replace the value with the new, relevant Root Cert BLOB

Search for <add key="InterCert" and replace the value with the new, relevant Intermediate Cert BLOBs

 

4. Upload the relevant Root and Intermediate certificates to VPNs and other devices

VPNs / Devices Support ECDSAVPNs / Devices DO NOT Support ECDSA
Download the G3Certs.zip here, and upload the certificates to VPNs / devicesDownload the G3Certs_2.zip here, and upload the certificates to VPNs / devices

5. Push out the same Root and Intermediate certificates used in step 5 to user workstations via GPO / software distribution

If the certificates cannot be pushed out via GPO / software distribution, then employ SecureAuth's Certificate Installer (Windows / Mac)

6. Have users re-enroll for certificates

Scenario 3: SecureAuth IdP has been updated to SHA 2 infrastructure and all certificates updated to SHA 2

This scenario applies only to customers that have updated to SHA 2 and are not using the SHA 1 Root Certificate (MFA Root 3) for certificate-based authentication

Typically, this scenario is for environments that have VPNs / devices that support ECDSA certificates

1. As a best practice, SecureAuth recommends uploading the latest certificates (Root and Intermediates) to their respective certificate stores on the appliance(s)

G3Certs.zip and G3Certs_2.zip downloaded here

  • No labels