OpenVPN will remove support for MD5 certificates at the end of April 2018. Self Signed Certificate Authorities created on Ecessa devices prior to version 10.7.4 use MD5 certificates and will need to be upgraded. A new Self Signed Certificate Authority, created on version 10.7.4 or newer, will use SHA1 by default.
Version 10.7.4 has not been released yet. It is expected to be released the week of April 16th, 2018. When released the version will be listed on the Release Notes page.
How to upgrade:
- Upgrade Ecessa device to version 10.7.4 or newer.
- Use the CLI command certificate self-ca modify name [NAME] msg-digest sha1 replacing [NAME] with the name of the Certificate Authority. After entering the command use commit save to apply and save the change.
- Renew the client certificates, which will now use SHA1, and distribute the updated certificates to clients.