FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jmacdonaldplante
Description
As of January 1st, 2016, most modern browsers (For example: FireFox and Chrome) will no longer accept certificates signed using SHA-1 as SHA-1 is no longer considered secure. As such, network security engineers should be updating their certificates to use SHA-2 or one of its variants.

Solution
The SHA version of a SSL Certificate is not determined by the CSR, the CSR will determine Subject values and key size, but the SHA version is set by the CA signing the CSR. When signing against a private CA (For example: Windows AD CS, EJBCA, openSSL, etc.) the administrator of the system will need to change the CA’s settings to ensure it is using a SHA-2 variant. When signing against a public CA (For example: GoDaddy, VeriSign, DigiCert, etc.) the CA’s certificate management console will typically request the SHA version after the CSR has been submitted and before confirming the CSR submission to the CA. Members of the CA/B Forum have already changed their defaults to using SHA-2.

Continued use of SHA-1 will be met with certificate warnings and in most cases, the inability to access a secure resource as the browsers are now set by default to terminate connections using the weaker algorithm. Fortinet appliances that have a CP8 content processor can leverage offloading for SHA-256 as the CP8 is capable of handling the SHA-256 algorithm.

Contributors