How to support signing with a SHA256 certificate

Follow
    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version Affected:  9.1+

     

    Description:  

    How to support signing with a SHA256 certificate

     

    Cause:  

    Versions of IdP running 9.1 or later using SecureAuth supplied certificates should be ready to support SAML256 signing but if in any doubt or if using 3rd party certificates then these instructions can be used.

     

    Resolution: 

    1. A SHA256 certificate, either a 3rd party or a SecureAuth certificate.

    2. To support SHA2 algorithms the certificate should be imported using this CSP:  "Microsoft Enhanced RSA and AES Cryptographic Provider" e.g.:

    certutil -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importPFX -p "PASSWORD" "PATH_TO_CERT.pfx"

    3. IdP version 9.0.2 with the SHA2 patch installed or alternatively 9.1 or later.


    If the certificate is already installed on the IdP then check which CSP the certificate is using by opening a command line and typing:
    certutil -store my

    If the CSP is incorrect then it can be changed by doing the following:

    1. Export the certificate with the private key as a PFX.
    2. Open a command line and use certutil to import it and change the CSP using this command line:
    certutil -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importPFX -p "PASSWORD" "PATH_TO_CERT.pfx"


    Note that changing the CSP using certutil should only be performed if the OS is Windows Server 2012R2 because Windows Server 2008R2 does not correctly handle the changing of CSP.  If the IdP is running 2008R2 the following procedure can be used if access to any Windows Server 2012R2 is possible::

    1. Export the certificate with the private key as a PFX from the IdP.
    2. Copy the PFX to the 2012R2 machine.
    3. On the 2012R2 machine, open a command line and use certutil to import it and change the CSP using this command line:
    certutil -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importPFX -p "PASSWORD" "PATH_TO_CERT.pfx"

    4. Export the certificate and private key from the 2012R2 machine as a PFX and copy back to the IdP
    5. Install the PFX on the IDP 



    For more information about CSPs and algorithm support see this article:
    https://msdn.microsoft.com/en-us/library/windows/desktop/bb931357(v=vs.85).aspx

     

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.