Change algorithm for self-signed certificates

  • All SafeGuard Enterprise components must have version 6.1 or later.

Certificates generated by SafeGuard Enterprise, such as the company, machine, security officer and user certificates are signed with hash algorithm SHA-256 by default during the first-time installation for enhanced security.

When upgrading from SafeGuard Enterprise 6 or earlier, hash algorithm SHA-1 is automatically used for self-signed certificates. You can manually change it to SHA-256 for enhanced security after the upgrade is completed.

Only change the algorithm to SHA-256 if all SafeGuard Enterprise components and endpoints have been upgraded to the current version. SHA-256 is not supported in mixed environments where for example SafeGuard Enterprise 6 endpoints are managed by the SafeGuard Management Center 7. If you have a mixed environment, you must not carry out this task and must not change the algorithm to SHA-256.

Changing the algorithm for self-signed certificates involves the following steps:

  • Changing the hash algorithm.
  • Creating a Certificate Change Order (CCO).
  • Creating a configuration package including the CCO.
  • Restarting the SafeGuard Enterprise (database) servers.
  • Distributing and deploying the configuration packages on the endpoints.

To change the algorithm for self-signed certificates:

  1. In the SafeGuard Management Center menu bar, select Tools > Options.
  2. On the General tab, under Certificates, select the required algorithm from Hash algorithm for generated certificates and click OK.
  3. On the Certificates tab, under Request, click Update. In Update Company certificate, enter a name for the CCO and specify a backup path. Enter a password for the P12 file and retype it. Optionally enter a comment and click Create.
  4. Confirm when prompted that this change cannot be reverted and that all configuration packages created after this company certificate update need this CCO included to work on already installed endpoints.
  5. Confirm when prompted that the update was successful and that a CCO to be included in all configuration packages has been created. Click OK.
  6. On the Tools menu, click Configuration Package Tool.
  7. Select the required type of endpoint configuration package: Managed client packages or Standalone client packages.
  8. Click Add Configuration Package and enter a name of your choice for the configuration package.
  9. Select the CCO you created beforehand.
  10. Make further selections as appropriate.
  11. Specify an output path for the configuration package (MSI).
  12. Click Create Configuration Package.
    The configuration package (MSI) has now been created in the specified directory.
  13. Restart all SafeGuard Enterprise (database) servers.
  14. Distribute and deploy this package to the SafeGuard Enterprise protected endpoints.

All certificates generated by SafeGuard Enterprise are signed with the new algorithm. For more information, see Sophos knowledge base article 116791.