Summary

X.509 certificates contain a digital signature based on a cryptographic hash algorithm. The default hash algorithm used when issuing a certificate with BoKS internal Certificate Authority (CA) up to and including BoKS version 7.0 is SHA-1.

Microsoft, Google and many other vendors in the IT industry have announced that certificates using SHA1 hash signatures are being deprecated as research has shown that collision attacks may soon be feasible. The position taken by Microsoft and Google is that SHA1 certificates should not be used after January 1, 2016, or trusted after January 1, 2017. Thus the transition to certificates using stronger hash algorithms needs to start as soon as possible, as certificates usually have a validity time of several years. The most common hash function to replace SHA1 is SHA256 from the SHA2 family.

BoKS Manager Master and Replicas need to be on at least version 6.6.2 for SHA2 signed x.509 certificates to be usable in BoKS Manager itself. BoKS Server Agents before 6.6.2 can work with some limitations when SHA2 certificates are used.


Reference Information


Support for SHA2 certificates in FoxT products

The default hash algorithm used by the BoKS CA can easily be changed, but certificates with SHA2 signatures will not work with all FoxT products. Different cryptographic libraries are used in different products for signature verification.

The products may also need to verify certificates from external CA’s containing SHA2 signatures. The table below lists support for SHA2 x.509 certificates for different FoxT products.

Product Support for SHA2 signatures in x.509 certificates
BoKS Desktop 6.5.1 and earlier No
BoKS Desktop 6.6 and later Yes
Agent SDK 6.0.1 and earlier No
Agent SDK 6.6 Yes (once released)
BoKS 6.5.1 - 6.6.1 Partly, see below.
BoKS 6.6.2 and later Yes
BoKS Password Manager Yes
BoKS MDS Web Services Interface Yes
FoxT Control Center Yes

BoKS Manager 6.5.1 - 6.6.1 components not supporting SHA2 certificate signatures

In BoKS Manager and BoKS Server Agent different components may or may not support SHA2 certificate signatures.

The Host Type column in the table below indicates when the program component is active. I.e. when BoKS Manager has been set-up as a Master, Replica and/or Server Agent (aka Client).

Program or Module Host Type Description
httpsrv M BoKS GUI when using client certificate authentication.
boks_csspd M/R BoKS Desktop login service.
boks_sslproxy M/R/A BoKS Desktop telnet over SSL.
ldapauth (UNIX/Linux) M/R/A LDAP authentication if LDAP server certificate verification configured.
boks_sshd M/R/A SSH x.509 certificate authentication (not plain public key).
EMS LDAP connector M If LDAP server certificate verification configured.
crldownload M CRL signature verification.
verifycert M Used in vcrenew and vcwatch scripts for automatic certificate renewal.
cacreds M Used for managing CA certificates in BoKS database.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: June 14, 2019