Release Automation

  • Private Community
 View Only
Back to Library

The default SHA-1 SSL certificates used by Release automation will stop being supported by Microsoft / Google browsers in January 2017 

Dec 15, 2016 06:08 AM

Problem

The default SHA-1 SSL certificates used by Release automation will stop being supported by Microsoft / Google browsers in January 2017

Starting early 2017 several browsers like Microsoft internet explorer, Firefox , Chrome and Mozilla  will deprecate the support for SHA-1 signed certificates for HTTPS/SSL communication and will block the connection to these websites as they are considered not secure anymore.

 

Environment

Release automation server 5.x and 6.x

Answer

If you are using a SHA-1 signed certificate for your RA webserver depends on how you configured your Release Automation server.

When you are using the secure communication (HTTPS) between internet browser and RA server and use the default nolio self-signed certificates installed during the installation, you have a SHA-1 signed certificate in place which needs to be updated.

If you have already setup you own certificate from a Certificate authority or generated your own self signed certificate you have to verify the certificate.

In most browsers you can click on the padlock symbol to display the certificate information. Expand to show certificate details and check the Signature Algorithm. Also make sure you click on the intermediate certificate to check if this is SHA-1 signed certificate or not.

As a best practice we always advice to replace the default nolio certificate for your own certificate.

You can install your own self signed certificate using the procedure "Secure UI Communication” from the Release automation installation guide

https://docops.ca.com/ca-release-automation/6-2/en/installation/ca-release-automation-communications-security/secure-communications

 

Additional Information

Starting with RA 6.3 we will update the default nolio certificate which is installed during the initial installation to be SHA-256 signed certificate .

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Anon Anon
Dec 22, 2016 09:49 AM

Hi Dirk, thanks for the info.

We mostly have our own certificates, expect for one environment which we cannot

migrate or upgrade.

 

Kind regards/Freundliche Grüsse

Bernard Stern

 

 

Von: DirkBleyenberg

Gesendet: Donnerstag, 22. Dezember 2016 11:26

An: Stern Bernhard

Betreff:  Re:  - The default SHA-1 SSL certificates used by Release automation will stop being supported by Microsoft / Google browsers in January 2017

 

CA Communities <https://communities.ca.com/?et=watches.email.document_comment>

 

 

The default SHA-1 SSL certificates used by Release automation will stop being supported by Microsoft / Google browsers in January 2017

 

new comment by DIRK BLEYENBERG<https://communities.ca.com/people/DirkBleyenberg?et=watches.email.document_comment> View all comments on this document<https://communities.ca.com/docs/DOC-231172000?commentID=233948814&et=watches.email.document_comment#comment-233948814>

Keith Puzey
Dec 22, 2016 09:43 AM

Hi,

 

      This article explains how the sha1 certificate will be handled in browsers moving forward, Google to Show Errors for SHA1 Certificates Starting with Chrome 56 .    Dirk is correct that the certificate has been updated with 6.3 , we recommend if you are using an older version of release automation and require SSL connectivity that you use your own custom certificates.

 

regards

 

keith

Dirk Bleyenberg
Dec 22, 2016 05:24 AM

Hi Bernard

 

RA 6.3 is actualy already available for download on the support.ca.com website . I am not aware at the moment that we will update

the default" nolio key and truststores" in a cumulative patch for RA <= 6.2 .

This could be a bit tricky as most customers would have updated the certificates with there own and replacing the stores in a cumulative could

wipe this configuration out .

This will only impact you when you use SSL configuration with the default generated certificates , to be secure we always advice to  install

your own certificates either selfsigned or provided by a Certificate Authority .

 

 

Regards

Dirk

Anon Anon
Dec 22, 2016 03:55 AM

That's the easter egg of the year! Do you have an idea what "early 2017" means? Are you going to ship new "default" nolio key and truststores, or cumulative patches for RA <= 6.2?

Related Entries and Links

No Related Resource entered.