SCSP has been using the SHA1 hashing algorithm since version 5.2.4. Any installation made since that version is therefore secure. However, if a manager has been upgraded from an earlier version such as 5.0.x or 5.1.x, it will retain the original certificates. This can be verified by checking the signing algorithm according to HOWTO59835. In that case, the following unsupported procedure can be used to generate new SHA1 compliant certificates.
Required Resources: "openssl.exe", Certificate tool, found in: C:\Program Files (x86)\Symantec\Critical System Protection\Server\tools "keytool.exe", Keystore and cert tool, found in: C:\Program Files (x86)\Symantec\Critical System Protection\server\jre\bin "agent-cert.ssl" and "server-cert.ssl", SCSP Certificate/Keystores found in: C:\Program Files (x86)\Symantec\Critical System Protection\server "server.xml", SCSP Certificate Configuration file found in: "C:\Program Files (x86)\Symantec\Critical System Protection\server\tomcat\conf"
"keystorepass", Keystore password found in: server.xml
Back up old certs to "agent-cert.ssl.ori" and "server-cert.ssl.ori".
Run Keytool to generate a new Keystore and certificate: