Migration from SHA-1 to SHA-2 certificates is needed after upgrading to ePolicy Orchestrator
Last Modified: 2022-10-20 04:53:32 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Migration from SHA-1 to SHA-2 certificates is needed after upgrading to ePolicy Orchestrator
Technical Articles ID:
KB87017
Last Modified: 2022-10-20 04:53:32 Etc/GMT Environment
ePolicy Orchestrator (ePO) 5.10
Summary
This article includes information relating to ePO 5.9.x, but this version is End of Life (EOL). For EOL details, see KB93286 - End of Life for ePolicy Orchestrator 5.9.x.
Problem 1
Browsers flag the ePO console as an unsecure HTTPS, even though the correct certificate is imported into the user certificate store.
Problem 2
A vulnerability scan flags ePO as using SHA-1, which is considered a weak hashing algorithm.
Cause
The SHA-1 algorithm has reached EOL. Many organizations are deprecating TLS or SSL certificates signed by the SHA-1 algorithm. Browsers such as Google Chrome and Microsoft Internet Explorer are ending support for certificates using SHA-1. To learn more about SHA-1 support in some browsers, see the following related articles: Solution
CAUTION: Read the instructions carefully before you continue with the steps. Failure to wait for sufficient agent saturation in step 5 can result in large numbers of agents failing to communicate until the agent is reinstalled. To remediate vulnerabilities in your ePO environment, migrate your existing SHA-1 certificates to certificates that use the more secure SHA-2 algorithm. A fresh installation of ePO 5.10 installs the latest hash algorithm certificates. If you upgrade ePO from an older version, migrate the SHA-1 certificates to SHA-2 certificates using the following steps:
IMPORTANT:
If you encounter any issues during the migration process, click Cancel Migration to revert to the previous certificates. If you cancel the migration, you must stop the Agent Handler services, and restart the ePO services and Agent Handler services. You can start the certificate migration again after you resolve the issues. Workaround
You can replace the server certificate used by ePO at the console logon screen with one signed by an internal CA or a public CA (such as For instructions on generating a new console certificate using OpenSSL, see KB72477 - How to generate a custom SSL certificate for use with ePO using the OpenSSL toolkit. Related Information
Frequently Asked Questions:
What are the consequences of not upgrading to ePO 5.10 and migrating away from an SHA-1 certificate after support for SHA-1 has ended?
See also KB91288 - Overview of ePolicy Orchestrator certificate migration with workflow and process. Affected ProductsLanguages:This article is available in the following languages: |
|