From b2660301e52ec4f977a5a21a65aeaf2076762789 Mon Sep 17 00:00:00 2001
From: Andres Rosenthal <andres.rosenthal@nortal.com>
Date: Fri, 1 Dec 2023 16:52:36 +0200
Subject: [PATCH] feat: Bump certificate hashing algo SHA1 -> SHA256 except for
 globalconf V2's authCertHash (#1873)

* feat: Bump certificate hashing algo SHA1 -> SHA256 except for globalconf V2's authCertHash

Refs: XRDDEV-445

* fix: Overflowing cert hash in the UI + CR suggestions

Refs: XRDDEV-445
---
 .../resources/globalconf/CS/shared-params.xml |   4 +-
 .../entity/mapper/ApprovedTsaMapperTest.java  |   2 +-
 .../CertificationServicesServiceImplTest.java |   8 +-
 .../IntermediateCasServiceImplTest.java       |   3 +-
 .../TimestampingServicesServiceImplTest.java  |   6 +-
 .../generator/SharedParameters.java           |   2 +-
 .../generator/SharedParametersLoader.java     |  30 ++---
 .../SharedParametersV2Converter.java          |  20 ++-
 .../SharedParametersV3Converter.java          |  20 ++-
 .../generator/SharedParametersLoaderTest.java |   3 +-
 .../SharedParametersV2ConverterTest.java      |  13 +-
 .../SharedParametersV3ConverterTest.java      |  12 +-
 .../certificate/CertificateHash.vue           |   2 +-
 .../admin-service/ui/src/locales/en.json      |   2 +-
 .../main/resources/openapi-definition.yaml    |   4 +-
 .../etc/xroad/globalconf/CS/shared-params.xml |   4 +-
 .../VersionedConfigurationDirectory.java      |  72 ++++++-----
 .../ee/ria/xroad/common/util/CryptoUtils.java |  37 ++++--
 .../VersionedConfigurationDirectoryTest.java  |  38 +++---
 .../globalconf_good_v3/EE/shared-params.xml   |  11 +-
 .../globalconf_good_v3/bar/shared-params.xml  |  11 +-
 .../conf/globalconf/GlobalConfImpl.java       | 118 +++++++++---------
 .../ClientsApiControllerIntegrationTest.java  |   8 +-
 ...tificatesApiControllerIntegrationTest.java |   4 +-
 .../restapi/util/CertificateTestUtils.java    |   6 +-
 .../certificate/CertificateHash.vue           |   2 +-
 .../admin-service/ui/src/locales/en.json      |   2 +-
 .../META-INF/openapi-definition.yaml          |  48 +++----
 ...3000-global-conf-sign-key-rotation.feature |   4 +-
 .../fetchinterval-params.xml                  |   0
 .../private-params.xml                        |   0
 .../shared-params.xml                         |   8 +-
 .../V3/externalconf                           |  26 ++--
 .../V3/internalconf                           |  30 ++---
 .../fetchinterval-params.xml                  |   0
 .../private-params.xml                        |   0
 .../shared-params.xml                         |   8 +-
 .../var/lib/xroad/public/V3/externalconf      |  24 ++--
 .../var/lib/xroad/public/V3/internalconf      |  34 ++---
 .../tokenmanager/TokenManagerMergeTest.java   |   2 +-
 40 files changed, 339 insertions(+), 289 deletions(-)
 rename src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/{20231121222055281623000 => 20231129113225683586000}/fetchinterval-params.xml (100%)
 rename src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/{20231121222055281623000 => 20231129113225683586000}/private-params.xml (100%)
 rename src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/{20231121222055281623000 => 20231129113225683586000}/shared-params.xml (86%)
 rename src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/{20231121221955286271000 => 20231129113125682194000}/fetchinterval-params.xml (100%)
 rename src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/{20231121221955286271000 => 20231129113125682194000}/private-params.xml (100%)
 rename src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/{20231121221955286271000 => 20231129113125682194000}/shared-params.xml (86%)

diff --git a/src/addons/messagelog/messagelog-addon/src/test/resources/globalconf/CS/shared-params.xml b/src/addons/messagelog/messagelog-addon/src/test/resources/globalconf/CS/shared-params.xml
index 0c340a5113..2c054f5579 100644
--- a/src/addons/messagelog/messagelog-addon/src/test/resources/globalconf/CS/shared-params.xml
+++ b/src/addons/messagelog/messagelog-addon/src/test/resources/globalconf/CS/shared-params.xml
@@ -67,7 +67,7 @@
         <owner>id0</owner>
         <serverCode>SS0</serverCode>
         <address>ss0</address>
-        <authCertHash>5+C5Gr24Dh912x5haKGOyZuK2KI=</authCertHash>
+        <authCertHash>enRxKzBGb0q7sUJa8Hx0A5aHmQwCa1HzWNFrN3ZDDJw=</authCertHash>
         <client>id1</client>
         <client>id7</client>
     </securityServer>
@@ -75,7 +75,7 @@
         <owner>id4</owner>
         <serverCode>SS1</serverCode>
         <address>ss1</address>
-        <authCertHash>03SfHhv+L5OJrJaod/sOZn6vp1c=</authCertHash>
+        <authCertHash>Q/wASEqban646kxZ0/uveKBv4h7U3FWnlKzsSJZU1f8=</authCertHash>
         <client>id5</client>
         <client>id6</client>
         <client>id3</client>
diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/entity/mapper/ApprovedTsaMapperTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/entity/mapper/ApprovedTsaMapperTest.java
index b9531825db..da0ef7a568 100644
--- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/entity/mapper/ApprovedTsaMapperTest.java
+++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/entity/mapper/ApprovedTsaMapperTest.java
@@ -75,7 +75,7 @@ void toTarget() throws Exception {
         assertThat(result.getValidFrom()).isEqualTo(VALID_FROM);
         assertThat(result.getValidTo()).isEqualTo(VALID_TO);
 
-        assertThat(result.getCertificate().getHash()).isEqualTo("05A10EEBDB0CD9679E4C85A78848145EF1F00BEA");
+        assertThat(result.getCertificate().getHash()).isEqualTo("094D62D75ECC25D6BD9EA83C7B34678016BB72BB80118FF6EC7E4D383A678CD1");
         assertThat(result.getCertificate().getIssuerCommonName()).isEqualTo("AdminCA1");
         assertThat(result.getCertificate().getIssuerDistinguishedName()).isEqualTo("C=SE, O=EJBCA Sample, CN=AdminCA1");
         assertThat(result.getCertificate().getKeyUsages()).isEqualTo(Set.of(NON_REPUDIATION));
diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/CertificationServicesServiceImplTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/CertificationServicesServiceImplTest.java
index ff979dc868..495662aa20 100644
--- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/CertificationServicesServiceImplTest.java
+++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/CertificationServicesServiceImplTest.java
@@ -195,7 +195,8 @@ void addCertificationServiceOcspResponder() throws Exception {
         verify(auditDataHelper).put(CA_ID, mockOcspInfo.getCaInfo().getId());
         verify(auditDataHelper).put(OCSP_ID, mockOcspInfo.getId());
         verify(auditDataHelper).put(OCSP_URL, mockOcspInfo.getUrl());
-        verify(auditDataHelper).put(OCSP_CERT_HASH, "F5:1B:1F:9C:07:23:4C:DA:E6:4C:99:CB:FC:D8:EE:0E:C5:5F:A4:AF");
+        verify(auditDataHelper).put(OCSP_CERT_HASH,
+                "B9:CF:6E:A1:BC:98:24:6B:16:68:24:E3:9A:9F:CD:8E:51:B7:05:37:44:68:D4:96:50:D2:22:85:A7:FA:54:2B");
         verify(auditDataHelper).put(OCSP_CERT_HASH_ALGORITHM, DEFAULT_CERT_HASH_ALGORITHM_ID);
     }
 
@@ -210,7 +211,7 @@ void addIntermediateCa() {
 
         final CertificateAuthority certificateAuthority = service.addIntermediateCa(ID, certificateBytes);
 
-        assertEquals("24AFDE09AA818A20D3EE7A4A2264BA247DA5C3F9", certificateAuthority.getCaCertificate().getHash());
+        assertEquals("D8FD191D4155864DE4DB7F8A5E099DAF70E57AF1B62A2A9B3B3B0C2B51788994", certificateAuthority.getCaCertificate().getHash());
 
         ArgumentCaptor<CaInfoEntity> captor = ArgumentCaptor.forClass(CaInfoEntity.class);
         verify(caInfoRepository).save(captor.capture());
@@ -220,7 +221,8 @@ void addIntermediateCa() {
 
         verify(auditDataHelper).put(CA_ID, ID);
         verify(auditDataHelper).put(INTERMEDIATE_CA_ID, 0);
-        verify(auditDataHelper).put(INTERMEDIATE_CA_CERT_HASH, "24:AF:DE:09:AA:81:8A:20:D3:EE:7A:4A:22:64:BA:24:7D:A5:C3:F9");
+        verify(auditDataHelper).put(INTERMEDIATE_CA_CERT_HASH,
+                "D8:FD:19:1D:41:55:86:4D:E4:DB:7F:8A:5E:09:9D:AF:70:E5:7A:F1:B6:2A:2A:9B:3B:3B:0C:2B:51:78:89:94");
         verify(auditDataHelper).put(INTERMEDIATE_CA_CERT_HASH_ALGORITHM, DEFAULT_CERT_HASH_ALGORITHM_ID);
     }
 
diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/IntermediateCasServiceImplTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/IntermediateCasServiceImplTest.java
index 32ea959593..45b0ecaec0 100644
--- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/IntermediateCasServiceImplTest.java
+++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/IntermediateCasServiceImplTest.java
@@ -172,7 +172,8 @@ void addOcspResponder() {
         verify(auditDataHelper).put(INTERMEDIATE_CA_ID, ID);
         verify(auditDataHelper).put(OCSP_ID, NEW_ID);
         verify(auditDataHelper).put(OCSP_URL, URL);
-        verify(auditDataHelper).put(OCSP_CERT_HASH, "F5:1B:1F:9C:07:23:4C:DA:E6:4C:99:CB:FC:D8:EE:0E:C5:5F:A4:AF");
+        verify(auditDataHelper).put(OCSP_CERT_HASH,
+                "B9:CF:6E:A1:BC:98:24:6B:16:68:24:E3:9A:9F:CD:8E:51:B7:05:37:44:68:D4:96:50:D2:22:85:A7:FA:54:2B");
         verify(auditDataHelper).put(OCSP_CERT_HASH_ALGORITHM, DEFAULT_CERT_HASH_ALGORITHM_ID);
     }
 
diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TimestampingServicesServiceImplTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TimestampingServicesServiceImplTest.java
index 0c7a63673c..9c89cc6b84 100644
--- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TimestampingServicesServiceImplTest.java
+++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/TimestampingServicesServiceImplTest.java
@@ -115,7 +115,8 @@ void add() throws Exception {
         verify(auditDataHelper).put(TSA_ID, ID);
         verify(auditDataHelper).put(TSA_NAME, NAME);
         verify(auditDataHelper).put(TSA_URL, URL);
-        verify(auditDataHelper).put(TSA_CERT_HASH, "05:A1:0E:EB:DB:0C:D9:67:9E:4C:85:A7:88:48:14:5E:F1:F0:0B:EA");
+        verify(auditDataHelper).put(TSA_CERT_HASH,
+                "09:4D:62:D7:5E:CC:25:D6:BD:9E:A8:3C:7B:34:67:80:16:BB:72:BB:80:11:8F:F6:EC:7E:4D:38:3A:67:8C:D1");
         verify(auditDataHelper).put(TSA_CERT_HASH_ALGORITHM, DEFAULT_CERT_HASH_ALGORITHM_ID);
     }
 
@@ -139,7 +140,8 @@ void update() throws Exception {
         verify(auditDataHelper).put(TSA_ID, ID);
         verify(auditDataHelper).put(TSA_NAME, NAME);
         verify(auditDataHelper).put(TSA_URL, request.getUrl());
-        verify(auditDataHelper).put(TSA_CERT_HASH, "05:A1:0E:EB:DB:0C:D9:67:9E:4C:85:A7:88:48:14:5E:F1:F0:0B:EA");
+        verify(auditDataHelper).put(TSA_CERT_HASH,
+                "09:4D:62:D7:5E:CC:25:D6:BD:9E:A8:3C:7B:34:67:80:16:BB:72:BB:80:11:8F:F6:EC:7E:4D:38:3A:67:8C:D1");
         verify(auditDataHelper).put(TSA_CERT_HASH_ALGORITHM, DEFAULT_CERT_HASH_ALGORITHM_ID);
     }
 
diff --git a/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParameters.java b/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParameters.java
index 06c25eec58..c885ab6a5c 100644
--- a/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParameters.java
+++ b/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParameters.java
@@ -111,7 +111,7 @@ public static class SecurityServer {
         private ClientId owner;
         private String serverCode;
         private String address;
-        private List<byte[]> authCertHashes;
+        private List<byte[]> authCerts;
         private List<ClientId> clients;
     }
 
diff --git a/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoader.java b/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoader.java
index bfae1d5f4a..8c9dfd7949 100644
--- a/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoader.java
+++ b/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoader.java
@@ -27,10 +27,8 @@
 package org.niis.xroad.cs.admin.globalconf.generator;
 
 import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.common.util.CryptoUtils;
 
 import lombok.RequiredArgsConstructor;
-import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.niis.xroad.cs.admin.api.domain.AuthCert;
 import org.niis.xroad.cs.admin.api.domain.ConfigurationSigningKey;
@@ -91,7 +89,7 @@ SharedParameters load() {
     private List<SharedParameters.ConfigurationSource> getSources() {
         return configurationService.getNodeAddressesWithConfigurationSigningKeys().entrySet().stream()
                 .map(this::toSource)
-                .collect(toList());
+                .toList();
     }
 
     private SharedParameters.ConfigurationSource toSource(
@@ -121,7 +119,7 @@ private List<SharedParameters.ApprovedCA> getApprovedCAs() {
         var approvedCas = certificationServicesService.findAll();
         return approvedCas.stream()
                 .map(this::toApprovedCa)
-                .collect(toList());
+                .toList();
     }
 
     private SharedParameters.ApprovedCA toApprovedCa(CertificationService ca) {
@@ -137,13 +135,13 @@ private SharedParameters.ApprovedCA toApprovedCa(CertificationService ca) {
     private List<SharedParameters.CaInfo> toCaInfos(List<CertificateAuthority> cas) {
         return cas.stream()
                 .map(ca -> new SharedParameters.CaInfo(toOcspInfos(ca.getOcspResponders()), ca.getCaCertificate().getEncoded()))
-                .collect(toList());
+                .toList();
     }
 
     private List<SharedParameters.OcspInfo> toOcspInfos(List<OcspResponder> ocspResponders) {
         return ocspResponders.stream()
                 .map(this::toOcspInfo)
-                .collect(toList());
+                .toList();
     }
 
     private SharedParameters.OcspInfo toOcspInfo(OcspResponder ocsp) {
@@ -153,7 +151,7 @@ private SharedParameters.OcspInfo toOcspInfo(OcspResponder ocsp) {
     private List<SharedParameters.ApprovedTSA> getApprovedTSAs() {
         return timestampingServicesService.getTimestampingServices().stream()
                 .map(tsa -> new SharedParameters.ApprovedTSA(tsa.getName(), tsa.getUrl(), tsa.getCertificate().getEncoded()))
-                .collect(toList());
+                .toList();
     }
 
     private List<SharedParameters.Member> getMembers() {
@@ -164,7 +162,7 @@ private List<SharedParameters.Member> getMembers() {
     private List<SharedParameters.SecurityServer> getSecurityServers() {
         return securityServerService.findAll().stream()
                 .map(this::toSecurityServer)
-                .collect(toList());
+                .toList();
     }
 
     private SharedParameters.SecurityServer toSecurityServer(SecurityServer ss) {
@@ -173,22 +171,16 @@ private SharedParameters.SecurityServer toSecurityServer(SecurityServer ss) {
         result.setAddress(ss.getAddress());
         result.setServerCode(ss.getServerCode());
         result.setClients(getSecurityServerClients(ss.getId()));
-        result.setAuthCertHashes(ss.getAuthCerts().stream()
+        result.setAuthCerts(ss.getAuthCerts().stream()
                 .map(AuthCert::getCert)
-                .map(SharedParametersLoader::certHash)
-                .collect(toList()));
+                .toList());
         return result;
     }
 
     private List<ClientId> getSecurityServerClients(int id) {
         return clientService.find(new ClientService.SearchParameters().setSecurityServerId(id))
-                .stream().map(SharedParametersLoader::toClientId).collect(toList());
-
-    }
+                .stream().map(SharedParametersLoader::toClientId).toList();
 
-    @SneakyThrows
-    private static byte[] certHash(byte[] cert) {
-        return CryptoUtils.certHash(cert);
     }
 
     private static ClientId toClientId(FlattenedSecurityServerClientView client) {
@@ -201,7 +193,7 @@ private static ClientId toClientId(FlattenedSecurityServerClientView client) {
     private List<SharedParameters.GlobalGroup> getGlobalGroups() {
         return globalGroupService.findGlobalGroups().stream()
                 .map(this::getGlobalGroup)
-                .collect(toList());
+                .toList();
     }
 
     private SharedParameters.GlobalGroup getGlobalGroup(GlobalGroup globalGroup) {
@@ -220,7 +212,7 @@ private List<ClientId> getGroupMembers(String groupCode) {
     private SharedParameters.GlobalSettings getGlobalSettings() {
         var memberClasses = memberClassService.findAll().stream()
                 .map(memberClass -> new SharedParameters.MemberClass(memberClass.getCode(), memberClass.getDescription()))
-                .collect(toList());
+                .toList();
 
         return new SharedParameters.GlobalSettings(memberClasses, systemParameterService.getOcspFreshnessSeconds());
     }
diff --git a/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV2Converter.java b/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV2Converter.java
index eff6eacd63..a91d5a3864 100644
--- a/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV2Converter.java
+++ b/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV2Converter.java
@@ -35,8 +35,10 @@
 import ee.ria.xroad.common.conf.globalconf.sharedparameters.v2.SharedParametersTypeV2;
 import ee.ria.xroad.common.conf.globalconf.sharedparameters.v2.SubsystemType;
 import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.common.util.CryptoUtils;
 
 import jakarta.xml.bind.JAXBElement;
+import lombok.SneakyThrows;
 import org.mapstruct.Context;
 import org.mapstruct.Mapper;
 import org.mapstruct.Mapping;
@@ -48,8 +50,6 @@
 import java.util.List;
 import java.util.Map;
 
-import static java.util.stream.Collectors.toList;
-
 @Mapper(uses = {ObjectFactory.class, MappingUtils.class}, unmappedTargetPolicy = ReportingPolicy.ERROR)
 abstract class SharedParametersV2Converter {
     public static final SharedParametersV2Converter INSTANCE = Mappers.getMapper(SharedParametersV2Converter.class);
@@ -73,7 +73,7 @@ SharedParametersTypeV2 convert(SharedParameters sharedParameters) {
     @Mapping(source = "intermediateCAs", target = "intermediateCA")
     abstract ApprovedCATypeV2 convert(SharedParameters.ApprovedCA approvedCa);
 
-    @Mapping(source = "authCertHashes", target = "authCertHash")
+    @Mapping(source = "authCerts", target = "authCertHash", qualifiedByName = "toAuthCertHashes")
     @Mapping(source = "clients", target = "client", qualifiedByName = "clientsById")
     @Mapping(target = "owner", qualifiedByName = "clientById")
     abstract SecurityServerType convert(SharedParameters.SecurityServer securityServer, @Context Map<ClientId, Object> clientMap);
@@ -104,7 +104,19 @@ List<JAXBElement<Object>> xmlClientIds(List<ClientId> clientIds, @Context Map<Cl
         }
         return clientIds.stream()
                 .map(clientId -> OBJECT_FACTORY.createSecurityServerTypeClient(xmlClientId(clientId, clientMap)))
-                .collect(toList());
+                .toList();
+    }
+
+    @Named("toAuthCertHashes")
+    protected List<byte[]> toAuthCertHashes(List<byte[]> authCerts) {
+        return authCerts.stream()
+                .map(this::toAuthCertHash)
+                .toList();
+    }
+
+    @SneakyThrows
+    private byte[] toAuthCertHash(byte[] authCert) {
+        return CryptoUtils.certSha1Hash(authCert);
     }
 
     private Map<ClientId, Object> createClientIdMap(SharedParameters sharedParameters) {
diff --git a/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3Converter.java b/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3Converter.java
index f1b7987a5d..ecfdae7e60 100644
--- a/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3Converter.java
+++ b/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3Converter.java
@@ -37,8 +37,10 @@
 import ee.ria.xroad.common.conf.globalconf.sharedparameters.v3.SharedParametersTypeV3;
 import ee.ria.xroad.common.conf.globalconf.sharedparameters.v3.SubsystemType;
 import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.common.util.CryptoUtils;
 
 import jakarta.xml.bind.JAXBElement;
+import lombok.SneakyThrows;
 import org.mapstruct.Context;
 import org.mapstruct.Mapper;
 import org.mapstruct.Mapping;
@@ -50,8 +52,6 @@
 import java.util.List;
 import java.util.Map;
 
-import static java.util.stream.Collectors.toList;
-
 @Mapper(uses = {ObjectFactory.class, MappingUtils.class}, unmappedTargetPolicy = ReportingPolicy.ERROR)
 
 abstract class SharedParametersV3Converter {
@@ -82,7 +82,7 @@ abstract SharedParametersTypeV3 convert(SharedParameters sharedParameters,
     @Mapping(source = "intermediateCAs", target = "intermediateCA")
     abstract ApprovedCATypeV3 convert(SharedParameters.ApprovedCA approvedCa);
 
-    @Mapping(source = "authCertHashes", target = "authCertHash")
+    @Mapping(source = "authCerts", target = "authCertHash", qualifiedByName = "toAuthCertHashes")
     @Mapping(source = "clients", target = "client", qualifiedByName = "clientsById")
     @Mapping(target = "owner", qualifiedByName = "clientById")
     abstract SecurityServerType convert(SharedParameters.SecurityServer securityServer, @Context Map<ClientId, Object> clientMap);
@@ -113,7 +113,19 @@ List<JAXBElement<Object>> xmlClientIds(List<ClientId> clientIds, @Context Map<Cl
         }
         return clientIds.stream()
                 .map(clientId -> OBJECT_FACTORY.createSecurityServerTypeClient(xmlClientId(clientId, clientMap)))
-                .collect(toList());
+                .toList();
+    }
+
+    @Named("toAuthCertHashes")
+    protected List<byte[]> toAuthCertHashes(List<byte[]> authCerts) {
+        return authCerts.stream()
+                .map(this::toAuthCertHash)
+                .toList();
+    }
+
+    @SneakyThrows
+    private byte[] toAuthCertHash(byte[] authCert) {
+        return CryptoUtils.certHash(authCert);
     }
 
     private Map<ClientId, Object> createClientIdMap(SharedParameters sharedParameters) {
diff --git a/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoaderTest.java b/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoaderTest.java
index 2041d1129b..4a8b302a80 100644
--- a/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoaderTest.java
+++ b/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersLoaderTest.java
@@ -27,7 +27,6 @@
 package org.niis.xroad.cs.admin.globalconf.generator;
 
 import ee.ria.xroad.common.identifier.ClientId;
-import ee.ria.xroad.common.util.CryptoUtils;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
@@ -174,7 +173,7 @@ private void assertSecurityServers(SharedParameters parameters) {
             assertThat(ss.getServerCode()).isEqualTo(SECURITY_SERVER_CODE);
             assertThat(ss.getClients()).singleElement()
                     .isEqualTo(ClientId.Conf.create(XROAD_INSTANCE, "CLASS", "M2", "S1"));
-            assertThat(ss.getAuthCertHashes()).singleElement().isEqualTo(CryptoUtils.certHash(SECURITY_SERVER_AUTH_CERT));
+            assertThat(ss.getAuthCerts()).singleElement().isEqualTo(SECURITY_SERVER_AUTH_CERT);
         });
     }
 
diff --git a/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV2ConverterTest.java b/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV2ConverterTest.java
index 1d8f0b424b..eed626742c 100644
--- a/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV2ConverterTest.java
+++ b/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV2ConverterTest.java
@@ -29,6 +29,7 @@
 import ee.ria.xroad.common.conf.globalconf.sharedparameters.v2.ObjectFactory;
 import ee.ria.xroad.common.conf.globalconf.sharedparameters.v2.SharedParametersTypeV2;
 import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.common.util.CryptoUtils;
 
 import jakarta.xml.bind.JAXBContext;
 import jakarta.xml.bind.JAXBElement;
@@ -37,8 +38,10 @@
 import lombok.extern.slf4j.Slf4j;
 import org.assertj.core.api.recursive.comparison.ComparingNormalizedFields;
 import org.assertj.core.api.recursive.comparison.RecursiveComparisonConfiguration;
+import org.bouncycastle.operator.OperatorCreationException;
 import org.junit.jupiter.api.Test;
 
+import java.io.IOException;
 import java.io.StringWriter;
 import java.math.BigInteger;
 import java.util.List;
@@ -52,6 +55,7 @@
 
 @Slf4j
 class SharedParametersV2ConverterTest {
+
     private static final Map<String, String> FIELD_NAME_MAP = Map.ofEntries(
             entry("securityServer", "securityServers"),
             entry("approvedCA", "approvedCAs"),
@@ -62,12 +66,12 @@ class SharedParametersV2ConverterTest {
             entry("subsystem", "subsystems"),
             entry("client", "clients"),
             entry("memberClass", "memberClasses"),
-            entry("authCertHash", "authCertHashes"),
+            entry("authCertHash", "authCerts"),
             entry("groupMember", "groupMembers")
     );
 
     @Test
-    void shouldConvertAllFields() {
+    void shouldConvertAllFields() throws IOException, OperatorCreationException {
         var sharedParameters = getSharedParameters();
         var xmlType = SharedParametersV2Converter.INSTANCE.convert(sharedParameters);
 
@@ -75,6 +79,7 @@ void shouldConvertAllFields() {
                 .withIntrospectionStrategy(compareRenamedFields())
                 .withIgnoredFields("securityServers.owner",
                         "securityServers.clients",
+                        "securityServers.authCerts",
                         "members.id",
                         "members.subsystems.id",
                         "centralService"
@@ -95,6 +100,8 @@ void shouldConvertAllFields() {
                 .allFieldsSatisfy(Objects::nonNull);
 
         assertIdReferences(xmlType);
+        assertThat(xmlType.getSecurityServer().get(0).getAuthCertHash().get(0))
+                .isEqualTo(CryptoUtils.certSha1Hash(sharedParameters.getSecurityServers().get(0).getAuthCerts().get(0)));
     }
 
     @Test
@@ -191,7 +198,7 @@ private static SharedParameters.SecurityServer getSecurityServer() {
         securityServer.setServerCode("security-server-code");
         securityServer.setAddress("security-server-address");
         securityServer.setClients(List.of(subsystemId(memberId(), "SUB1")));
-        securityServer.setAuthCertHashes(List.of("ss-auth-cert".getBytes(UTF_8)));
+        securityServer.setAuthCerts(List.of("ss-auth-cert".getBytes(UTF_8)));
         return securityServer;
     }
 
diff --git a/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3ConverterTest.java b/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3ConverterTest.java
index 3d9ab92a87..58bd7e6eea 100644
--- a/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3ConverterTest.java
+++ b/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/SharedParametersV3ConverterTest.java
@@ -29,6 +29,7 @@
 import ee.ria.xroad.common.conf.globalconf.sharedparameters.v3.ObjectFactory;
 import ee.ria.xroad.common.conf.globalconf.sharedparameters.v3.SharedParametersTypeV3;
 import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.common.util.CryptoUtils;
 
 import jakarta.xml.bind.JAXBContext;
 import jakarta.xml.bind.JAXBElement;
@@ -37,8 +38,10 @@
 import lombok.extern.slf4j.Slf4j;
 import org.assertj.core.api.recursive.comparison.ComparingNormalizedFields;
 import org.assertj.core.api.recursive.comparison.RecursiveComparisonConfiguration;
+import org.bouncycastle.operator.OperatorCreationException;
 import org.junit.jupiter.api.Test;
 
+import java.io.IOException;
 import java.io.StringWriter;
 import java.math.BigInteger;
 import java.util.List;
@@ -66,12 +69,12 @@ class SharedParametersV3ConverterTest {
             entry("subsystem", "subsystems"),
             entry("client", "clients"),
             entry("memberClass", "memberClasses"),
-            entry("authCertHash", "authCertHashes"),
+            entry("authCertHash", "authCerts"),
             entry("groupMember", "groupMembers")
     );
 
     @Test
-    void shouldConvertAllFields() {
+    void shouldConvertAllFields() throws IOException, OperatorCreationException {
         var sharedParameters = getSharedParameters();
         var xmlType = SharedParametersV3Converter.INSTANCE.convert(sharedParameters);
 
@@ -79,6 +82,7 @@ void shouldConvertAllFields() {
                 .withIntrospectionStrategy(compareRenamedFields())
                 .withIgnoredFields("securityServers.owner",
                         "securityServers.clients",
+                        "securityServers.authCerts",
                         "members.id",
                         "members.subsystems.id",
                         "centralService",
@@ -101,6 +105,8 @@ void shouldConvertAllFields() {
                 .allFieldsSatisfy(Objects::nonNull);
 
         assertIdReferences(xmlType);
+        assertThat(xmlType.getSecurityServer().get(0).getAuthCertHash().get(0))
+                .isEqualTo(CryptoUtils.certHash(sharedParameters.getSecurityServers().get(0).getAuthCerts().get(0)));
     }
 
     @Test
@@ -209,7 +215,7 @@ private static SharedParameters.SecurityServer getSecurityServer() {
         securityServer.setServerCode("security-server-code");
         securityServer.setAddress("security-server-address");
         securityServer.setClients(List.of(subsystemId(memberId(), "SUB1")));
-        securityServer.setAuthCertHashes(List.of("ss-auth-cert".getBytes(UTF_8)));
+        securityServer.setAuthCerts(List.of("ss-auth-cert".getBytes(UTF_8)));
         return securityServer;
     }
 
diff --git a/src/central-server/admin-service/ui/src/components/certificate/CertificateHash.vue b/src/central-server/admin-service/ui/src/components/certificate/CertificateHash.vue
index 796646da9f..d1ddfebcae 100644
--- a/src/central-server/admin-service/ui/src/components/certificate/CertificateHash.vue
+++ b/src/central-server/admin-service/ui/src/components/certificate/CertificateHash.vue
@@ -48,7 +48,7 @@ export default defineComponent({
 
 <style lang="scss" scoped>
 .cert-hash {
-  font-size: 20px;
+  font-size: 16px;
   font-weight: 500;
   letter-spacing: 0.5px;
   line-height: 30px;
diff --git a/src/central-server/admin-service/ui/src/locales/en.json b/src/central-server/admin-service/ui/src/locales/en.json
index 1ad5ed9f2e..dc26f40a52 100644
--- a/src/central-server/admin-service/ui/src/locales/en.json
+++ b/src/central-server/admin-service/ui/src/locales/en.json
@@ -479,7 +479,7 @@
   },
   "cert": {
     "certificate": "Certificate",
-    "hashInfo": "Hash (SHA-1)",
+    "hashInfo": "Hash (SHA-256)",
     "rsaExp": "RSA Public Key Exponent",
     "rsaModulus": "RSA Public Key Modulus",
     "keyUsage": {
diff --git a/src/central-server/openapi-model/src/main/resources/openapi-definition.yaml b/src/central-server/openapi-model/src/main/resources/openapi-definition.yaml
index 4bd2257f06..da5ca6208d 100644
--- a/src/central-server/openapi-model/src/main/resources/openapi-definition.yaml
+++ b/src/central-server/openapi-model/src/main/resources/openapi-definition.yaml
@@ -3143,10 +3143,10 @@ components:
       description: certificate details for any kind of certificate (TLS, auth, sign) # potential-common-api
       properties:
         hash:
-          description: certificate SHA-1 hash
+          description: certificate SHA-256 hash
           example: 1234567890ABCDEF
           format: text
-          maxLength: 40
+          maxLength: 64
           minLength: 1
           type: string
         issuer_common_name:
diff --git a/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/shared-params.xml b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/shared-params.xml
index 0c340a5113..2c054f5579 100644
--- a/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/shared-params.xml
+++ b/src/common/common-int-test/src/main/resources/signer-container-files/etc/xroad/globalconf/CS/shared-params.xml
@@ -67,7 +67,7 @@
         <owner>id0</owner>
         <serverCode>SS0</serverCode>
         <address>ss0</address>
-        <authCertHash>5+C5Gr24Dh912x5haKGOyZuK2KI=</authCertHash>
+        <authCertHash>enRxKzBGb0q7sUJa8Hx0A5aHmQwCa1HzWNFrN3ZDDJw=</authCertHash>
         <client>id1</client>
         <client>id7</client>
     </securityServer>
@@ -75,7 +75,7 @@
         <owner>id4</owner>
         <serverCode>SS1</serverCode>
         <address>ss1</address>
-        <authCertHash>03SfHhv+L5OJrJaod/sOZn6vp1c=</authCertHash>
+        <authCertHash>Q/wASEqban646kxZ0/uveKBv4h7U3FWnlKzsSJZU1f8=</authCertHash>
         <client>id5</client>
         <client>id6</client>
         <client>id3</client>
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/conf/globalconf/VersionedConfigurationDirectory.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/conf/globalconf/VersionedConfigurationDirectory.java
index b494b900e1..d2d521085f 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/conf/globalconf/VersionedConfigurationDirectory.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/conf/globalconf/VersionedConfigurationDirectory.java
@@ -47,13 +47,14 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.function.Consumer;
+import java.util.function.Predicate;
 import java.util.stream.Stream;
 
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
 import static ee.ria.xroad.common.SystemProperties.CURRENT_GLOBAL_CONFIGURATION_VERSION;
 import static ee.ria.xroad.common.conf.globalconf.ConfigurationUtils.escapeInstanceIdentifier;
-import static java.lang.String.valueOf;
 
 /**
  * Class for reading global configuration directory. The directory must have subdirectory per instance identifier.
@@ -199,41 +200,37 @@ private void loadSharedParameters(Path instanceDir, Map<String, SharedParameters
     /**
      * Returns private parameters for a given instance identifier.
      * @param instanceId the instance identifier
-     * @return private parameters or null, if no private parameters exist for given instance identifier
-     * @throws Exception if an error occurs while reading parameters
+     * @return optional of private parameters or {@link Optional#empty()} if no private parameters exist for given instance identifier
      */
-    public PrivateParameters getPrivate(String instanceId) throws Exception {
+    public Optional<PrivateParameters> findPrivate(String instanceId) {
         String safeInstanceId = escapeInstanceIdentifier(instanceId);
 
-        log.trace("getPrivate(instance = {}, directory = {})", instanceId, safeInstanceId);
+        log.trace("findPrivate(instance = {}, directory = {})", instanceId, safeInstanceId);
 
         PrivateParametersProvider provider = privateParameters.get(safeInstanceId);
-        return provider != null ? provider.getPrivateParameters() : null;
-    }
-
-    public OffsetDateTime getPrivateExpiresOn(String instanceId) {
-        String safeInstanceId = escapeInstanceIdentifier(instanceId);
-        return privateParameters.get(safeInstanceId).getExpiresOn();
+        return Optional.ofNullable(provider)
+                .map(PrivateParametersProvider::getPrivateParameters);
     }
 
     /**
      * Returns shared parameters for a given instance identifier.
      * @param instanceId the instance identifier
-     * @return shared parameters or null, if no shared parameters exist for given instance identifier
+     * @return optional of shared parameters or {@link Optional#empty()} if no shared parameters exist for given instance identifier
      */
-    public SharedParameters getShared(String instanceId) {
+    public Optional<SharedParameters> findShared(String instanceId) {
         String safeInstanceId = escapeInstanceIdentifier(instanceId);
 
-        log.trace("getShared(instance = {}, directory = {})", instanceId, safeInstanceId);
+        log.trace("findShared(instance = {}, directory = {})", instanceId, safeInstanceId);
 
-        SharedParametersProvider parameters = sharedParameters.get(safeInstanceId);
-        // ignore federated parameters that are expired
-        if (parameters != null && parameters.getSharedParameters() != null
-                && (parameters.getSharedParameters().getInstanceIdentifier().equals(instanceIdentifier)
-                || parameters.getExpiresOn().isAfter(TimeUtils.offsetDateTimeNow()))) {
-            return parameters.getSharedParameters();
-        }
-        return null;
+        Predicate<SharedParametersProvider> isMainInstance = params ->
+                params.getSharedParameters() != null && instanceIdentifier.equals(params.getSharedParameters().getInstanceIdentifier());
+        Predicate<SharedParametersProvider> notExpired = params ->
+                params.getExpiresOn().isAfter(TimeUtils.offsetDateTimeNow());
+
+        SharedParametersProvider provider = sharedParameters.get(safeInstanceId);
+        return Optional.ofNullable(provider)
+                .filter(isMainInstance.or(notExpired))
+                .map(SharedParametersProvider::getSharedParameters);
     }
 
     /**
@@ -250,9 +247,21 @@ public List<SharedParameters> getShared() {
                 .toList();
     }
 
-    public OffsetDateTime getSharedExpiresOn(String instanceId) {
-        String safeInstanceId = escapeInstanceIdentifier(instanceId);
-        return sharedParameters.get(safeInstanceId).getExpiresOn();
+    public boolean isExpired() {
+        OffsetDateTime now = TimeUtils.offsetDateTimeNow();
+        String safeInstanceId = escapeInstanceIdentifier(instanceIdentifier);
+
+        OffsetDateTime privateExpiresOn = privateParameters.get(safeInstanceId).getExpiresOn();
+        if (now.isAfter(privateExpiresOn)) {
+            log.warn("Main privateParameters expired at {}", privateExpiresOn);
+            return true;
+        }
+        OffsetDateTime sharedExpiresOn = sharedParameters.get(safeInstanceId).getExpiresOn();
+        if (now.isAfter(sharedExpiresOn)) {
+            log.warn("Main sharedParameters expired at {}", sharedExpiresOn);
+            return true;
+        }
+        return false;
     }
 
     /**
@@ -323,12 +332,17 @@ public static ConfigurationPartMetadata getMetadata(Path fileName) throws IOExce
     }
 
     public static boolean isCurrentVersion(Path filePath) {
+            Integer confVersion = getVersion(filePath);
+            return confVersion != null && confVersion == CURRENT_GLOBAL_CONFIGURATION_VERSION;
+    }
+
+    public static Integer getVersion(Path filePath) {
         try {
-            String confVersion = getMetadata(filePath).getConfigurationVersion();
-            return valueOf(CURRENT_GLOBAL_CONFIGURATION_VERSION).equals(confVersion);
-        } catch (IOException e) {
+            String version = getMetadata(filePath).getConfigurationVersion();
+            return Integer.parseInt(version);
+        } catch (IOException | NumberFormatException e) {
             log.error("Unable to read configuration version", e);
-            return false;
+            return null;
         }
     }
 
diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/CryptoUtils.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/CryptoUtils.java
index 62df279930..d003ca25e6 100644
--- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/CryptoUtils.java
+++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/CryptoUtils.java
@@ -65,6 +65,7 @@
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.Security;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
@@ -106,7 +107,7 @@ public final class CryptoUtils {
     public static final String DEFAULT_DIGEST_ALGORITHM_URI = DigestMethod.SHA512;
 
     /** Default digest algorithm id used for calculating certificate hashes. */
-    public static final String DEFAULT_CERT_HASH_ALGORITHM_ID = CryptoUtils.SHA1_ID;
+    public static final String DEFAULT_CERT_HASH_ALGORITHM_ID = CryptoUtils.SHA256_ID;
 
     /** Default digest algorithm id used for calculating configuration anchor hashes. */
     public static final String DEFAULT_ANCHOR_HASH_ALGORITHM_ID = CryptoUtils.SHA224_ID;
@@ -615,7 +616,7 @@ public static String calculateDelimitedCertHexHash(X509Certificate cert, String
     }
 
     /**
-     * Calculates a sha-1 digest of the given bytes and encodes it
+     * Calculates a sha-256 digest of the given bytes and encodes it
      * as lowercase hex.
      * @return calculated certificate hex hash String
      * @param bytes the bytes
@@ -627,7 +628,7 @@ public static String calculateCertHexHash(byte[] bytes)
     }
 
     /**
-     * Calculates a sha-1 digest of the given bytes and encodes it in
+     * Calculates a sha-256 digest of the given bytes and encodes it in
      * format 92:62:34:C5:39:1B:95:1F:BF:AF:8D:D6:23:24:AE:56:83:DC...
      * @return calculated certificate hex hash uppercase and separated by semicolons String
      * @param bytes the bytes
@@ -664,7 +665,7 @@ public static String calculateAnchorHashDelimited(byte[] bytes) {
      * @return digest byte array of the certificate
      * @throws Exception if any errors occur
      */
-    public static byte[] certHash(X509Certificate cert) throws Exception {
+    public static byte[] certHash(X509Certificate cert) throws CertificateEncodingException, IOException, OperatorCreationException {
         return certHash(cert.getEncoded());
     }
 
@@ -672,21 +673,33 @@ public static byte[] certHash(X509Certificate cert) throws Exception {
      * Calculates a digest of the given certificate bytes.
      * @param bytes the bytes
      * @return digest byte array of the certificate
-     * @throws Exception if any errors occur
+     * @throws OperatorCreationException if digest calculator cannot be created
+     * @throws IOException if an I/O error occurred
      */
-    public static byte[] certHash(byte[] bytes) throws Exception {
+    public static byte[] certHash(byte[] bytes) throws IOException, OperatorCreationException {
         return calculateDigest(DEFAULT_CERT_HASH_ALGORITHM_ID, bytes);
     }
 
+    /**
+     * Calculates sha-1 digest of the given certificate bytes.
+     * @param bytes the bytes
+     * @return digest byte array of the certificate
+     * @throws OperatorCreationException if digest calculator cannot be created
+     * @throws IOException if an I/O error occurred
+     */
+    public static byte[] certSha1Hash(byte[] bytes) throws IOException, OperatorCreationException {
+        return calculateDigest(SHA1_ID, bytes);
+    }
+
     /**
      * Digests the input data and hex-encodes the result.
      * @param hashAlg Name of the hash algorithm
      * @param data Data to be hashed
      * @return hex encoded String of the input data digest
-     * @throws Exception if any errors occur
+     * @throws OperatorCreationException if digest calculator cannot be created
+     * @throws IOException if an I/O error occurred
      */
-    public static String hexDigest(String hashAlg, byte[] data)
-            throws Exception {
+    public static String hexDigest(String hashAlg, byte[] data) throws IOException, OperatorCreationException {
         return encodeHex(calculateDigest(hashAlg, data));
     }
 
@@ -695,10 +708,10 @@ public static String hexDigest(String hashAlg, byte[] data)
      * @param hashAlg Name of the hash algorithm
      * @param data Data to be hashed
      * @return hex encoded String of the input data digest
-     * @throws Exception if any errors occur
+     * @throws OperatorCreationException if digest calculator cannot be created
+     * @throws IOException if an I/O error occurred
      */
-    public static String hexDigest(String hashAlg, String data)
-            throws Exception {
+    public static String hexDigest(String hashAlg, String data) throws IOException, OperatorCreationException {
         return hexDigest(hashAlg, data.getBytes(StandardCharsets.UTF_8));
     }
 
diff --git a/src/common/common-util/src/test/java/ee/ria/xroad/common/conf/globalconf/VersionedConfigurationDirectoryTest.java b/src/common/common-util/src/test/java/ee/ria/xroad/common/conf/globalconf/VersionedConfigurationDirectoryTest.java
index beb6a57d60..e74858f0c9 100644
--- a/src/common/common-util/src/test/java/ee/ria/xroad/common/conf/globalconf/VersionedConfigurationDirectoryTest.java
+++ b/src/common/common-util/src/test/java/ee/ria/xroad/common/conf/globalconf/VersionedConfigurationDirectoryTest.java
@@ -32,8 +32,6 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
 /**
@@ -52,21 +50,17 @@ public void readDirectoryV2() throws Exception {
 
         assertEquals("EE", dir.getInstanceIdentifier());
 
-        PrivateParameters p = dir.getPrivate("foo");
+        PrivateParameters p = dir.findPrivate("foo").orElseThrow();
 
-        assertNotNull(p);
         assertEquals("foo", p.getInstanceIdentifier());
 
-        SharedParameters s = dir.getShared("foo");
+        SharedParameters s = dir.findShared("foo").orElseThrow();
 
-        assertNotNull(s);
         assertEquals("foo", s.getInstanceIdentifier());
 
-        dir.getShared("foo"); // intentional
-
-        assertNull(dir.getPrivate("bar"));
-        assertNotNull(dir.getShared("bar"));
-        assertNull(dir.getShared("xxx"));
+        assertTrue(dir.findPrivate("bar").isEmpty());
+        assertTrue(dir.findShared("bar").isPresent());
+        assertTrue(dir.findShared("xxx").isEmpty());
     }
 
     /**
@@ -111,21 +105,17 @@ public void readDirectoryContainingBothV3AndV2Configurations() throws Exception
 
         assertEquals("EE", dir.getInstanceIdentifier());
 
-        PrivateParameters p = dir.getPrivate("foo_v2");
+        PrivateParameters p = dir.findPrivate("foo_v2").orElseThrow();
 
-        assertNotNull(p);
         assertEquals("foo_v2", p.getInstanceIdentifier());
 
-        SharedParameters s = dir.getShared("foo_v2");
+        SharedParameters s = dir.findShared("foo_v2").orElseThrow();
 
-        assertNotNull(s);
         assertEquals("foo_v2", s.getInstanceIdentifier());
 
-        dir.getShared("foo_v2"); // intentional
-
-        assertNull(dir.getPrivate("bar"));
-        assertNotNull(dir.getShared("bar"));
-        assertNull(dir.getShared("xxx"));
+        assertTrue(dir.findPrivate("bar").isEmpty());
+        assertTrue(dir.findShared("bar").isPresent());
+        assertTrue(dir.findShared("xxx").isEmpty());
     }
 
     /**
@@ -168,8 +158,8 @@ public void readConfigurationFilesContainingBothV3AndV2() throws Exception {
     public void readEmptyDirectory() throws Exception {
         VersionedConfigurationDirectory dir = new VersionedConfigurationDirectory("src/test/resources/globalconf_empty");
 
-        assertNull(dir.getPrivate("foo"));
-        assertNull(dir.getShared("foo"));
+        assertTrue(dir.findPrivate("foo").isEmpty());
+        assertTrue(dir.findShared("foo").isEmpty());
     }
 
     /**
@@ -181,8 +171,8 @@ public void readEmptyDirectory() throws Exception {
     public void readMalformedDirectory() throws Exception {
         VersionedConfigurationDirectory dir = new VersionedConfigurationDirectory("src/test/resources/globalconf_malformed");
 
-        assertNull(dir.getPrivate("foo"));
-        assertNull(dir.getShared("foo"));
+        assertTrue(dir.findPrivate("foo").isEmpty());
+        assertTrue(dir.findShared("foo").isEmpty());
     }
 
     private boolean pathExists(List<Path> paths, String path) {
diff --git a/src/common/common-util/src/test/resources/globalconf_good_v3/EE/shared-params.xml b/src/common/common-util/src/test/resources/globalconf_good_v3/EE/shared-params.xml
index da4c776b2e..8de2096ec9 100644
--- a/src/common/common-util/src/test/resources/globalconf_good_v3/EE/shared-params.xml
+++ b/src/common/common-util/src/test/resources/globalconf_good_v3/EE/shared-params.xml
@@ -412,8 +412,8 @@
         <owner>producerId</owner>
         <serverCode>producerServerCode</serverCode>
         <address>127.0.0.1</address>
-        <!-- Extracted using command 'openssl sha512 producer.pem' -->
-        <authCertHash>BnAMEvOVGDx3mIT81J1MpV+khaplYX2lt12EknvsLJE=</authCertHash>
+        <!-- Extracted using command 'openssl sha256 producer.pem' -->
+        <authCertHash>xcuWTrx4uFeP5mNBXIhYITy+gUM72CJfL63MsWXffXM=</authCertHash>
         <client>consumerId</client>
         <client>fooId</client>
         <client>foosubsystemId</client>
@@ -423,13 +423,14 @@
         <owner>consumerId</owner>
         <serverCode>consumerServerCode</serverCode>
         <address>https://www.foo.com/bar</address>
-        <authCertHash>mxwUY66bn81Nkvbmbgif0agWZgM=</authCertHash>
+        <!-- Extracted using command 'openssl sha256 consumer.pem' -->
+        <authCertHash>XhdxNaWNz7XBuakTRDyz+5Ald53DCy3DwxUacFe/VX8=</authCertHash>
     </securityServer>
 
     <securityServer>
         <owner>fooId</owner>
         <serverCode>fooServerCode</serverCode>
-        <authCertHash>GLx/0DiFv3V1I1Nbd04r3z0oUno=</authCertHash>
+        <authCertHash>enRxKzBGb0q7sUJa8Hx0A5aHmQwCa1HzWNFrN3ZDDJw=</authCertHash>
         <client>producerId</client>
     </securityServer>
 
@@ -437,7 +438,7 @@
         <owner>fooId</owner>
         <serverCode>FooBarServerCode</serverCode>
         <address>https://foo.bar.baz</address>
-        <authCertHash>S6j8iYRoUfcZEtUu/MPtToSYxLI=</authCertHash>
+        <authCertHash>Q/wASEqban646kxZ0/uveKBv4h7U3FWnlKzsSJZU1f8=</authCertHash>
         <client>fooId</client>
     </securityServer>
 
diff --git a/src/common/common-util/src/test/resources/globalconf_good_v3/bar/shared-params.xml b/src/common/common-util/src/test/resources/globalconf_good_v3/bar/shared-params.xml
index 6d37563339..f7c2a1fc84 100644
--- a/src/common/common-util/src/test/resources/globalconf_good_v3/bar/shared-params.xml
+++ b/src/common/common-util/src/test/resources/globalconf_good_v3/bar/shared-params.xml
@@ -138,8 +138,8 @@
         <owner>producerId</owner>
         <serverCode>producerServerCode</serverCode>
         <address>127.0.0.1</address>
-        <!-- Extracted using command 'openssl sha512 producer.pem' -->
-        <authCertHash>BnAMEvOVGDx3mIT81J1MpV+khaplYX2lt12EknvsLJE=</authCertHash>
+        <!-- Extracted using command 'openssl sha256 producer.pem' -->
+        <authCertHash>xcuWTrx4uFeP5mNBXIhYITy+gUM72CJfL63MsWXffXM=</authCertHash>
         <client>consumerId</client>
         <client>fooId</client>
         <client>foosubsystemId</client>
@@ -149,13 +149,14 @@
         <owner>consumerId</owner>
         <serverCode>consumerServerCode</serverCode>
         <address>https://www.foo.com/bar</address>
-        <authCertHash>NS21xw8PH7goeyqkzhT9NdqXi9c=</authCertHash>
+        <!-- Extracted using command 'openssl sha256 consumer.pem' -->
+        <authCertHash>XhdxNaWNz7XBuakTRDyz+5Ald53DCy3DwxUacFe/VX8=</authCertHash>
     </securityServer>
 
     <securityServer>
         <owner>fooId</owner>
         <serverCode>fooServerCode</serverCode>
-        <authCertHash>6C4LKxhNQ4fCr9g3CNTP6uuHLPc=</authCertHash>
+        <authCertHash>enRxKzBGb0q7sUJa8Hx0A5aHmQwCa1HzWNFrN3ZDDJw=</authCertHash>
         <client>producerId</client>
     </securityServer>
 
@@ -163,7 +164,7 @@
         <owner>fooId</owner>
         <serverCode>FooBarServerCode</serverCode>
         <address>https://foo.bar.baz</address>
-        <authCertHash>S6j8iYRoUfcZEtUu/MPtToSYxLI=</authCertHash>
+        <authCertHash>Q/wASEqban646kxZ0/uveKBv4h7U3FWnlKzsSJZU1f8=</authCertHash>
         <client>fooId</client>
     </securityServer>
 
diff --git a/src/common/common-verifier/src/main/java/ee/ria/xroad/common/conf/globalconf/GlobalConfImpl.java b/src/common/common-verifier/src/main/java/ee/ria/xroad/common/conf/globalconf/GlobalConfImpl.java
index e49dceb233..8c287ebb4d 100644
--- a/src/common/common-verifier/src/main/java/ee/ria/xroad/common/conf/globalconf/GlobalConfImpl.java
+++ b/src/common/common-verifier/src/main/java/ee/ria/xroad/common/conf/globalconf/GlobalConfImpl.java
@@ -36,17 +36,17 @@
 import ee.ria.xroad.common.identifier.SecurityServerId;
 import ee.ria.xroad.common.util.CertUtils;
 import ee.ria.xroad.common.util.CryptoUtils;
-import ee.ria.xroad.common.util.TimeUtils;
 
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.operator.OperatorCreationException;
 
 import java.io.IOException;
+import java.nio.file.Path;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
-import java.time.OffsetDateTime;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -63,6 +63,7 @@
 import static ee.ria.xroad.common.ErrorCodes.translateWithPrefix;
 import static ee.ria.xroad.common.SystemProperties.getConfigurationPath;
 import static ee.ria.xroad.common.util.CryptoUtils.certHash;
+import static ee.ria.xroad.common.util.CryptoUtils.certSha1Hash;
 import static ee.ria.xroad.common.util.CryptoUtils.encodeBase64;
 import static ee.ria.xroad.common.util.CryptoUtils.readCertificate;
 
@@ -97,21 +98,10 @@ public void reload() {
     public boolean isValid() {
         // it is important to get handle of confDir as this variable is volatile
         VersionedConfigurationDirectory checkDir = confDir;
-        String mainInstance = checkDir.getInstanceIdentifier();
-        OffsetDateTime now = TimeUtils.offsetDateTimeNow();
         try {
-            if (now.isAfter(checkDir.getPrivateExpiresOn(mainInstance))) {
-                log.warn("Main privateParameters expired at {}", checkDir.getPrivateExpiresOn(mainInstance));
-                return false;
-            }
-            if (now.isAfter(checkDir.getSharedExpiresOn(mainInstance))) {
-                log.warn("Main sharedParameters expired at {}", checkDir.getSharedExpiresOn(mainInstance));
-                return false;
-            }
-            return true;
+            return !checkDir.isExpired();
         } catch (Exception e) {
             log.warn("Error checking global configuration validity", e);
-
             return false;
         }
     }
@@ -125,7 +115,7 @@ public String getInstanceIdentifier() {
     public List<String> getInstanceIdentifiers() {
         return getSharedParameters().stream()
                 .map(SharedParameters::getInstanceIdentifier)
-                .collect(Collectors.toList());
+                .toList();
     }
 
     @Override
@@ -175,18 +165,18 @@ ClientId.Conf createSubsystemId(SharedParameters p, SharedParameters.Member memb
 
     @Override
     public String getMemberName(ClientId clientId) {
-        SharedParameters p;
+        Optional<SharedParameters> p;
         try {
-            p = confDir.getShared(clientId.getXRoadInstance());
+            p = confDir.findShared(clientId.getXRoadInstance());
         } catch (Exception e) {
             throw new CodedException(X_INTERNAL_ERROR, e);
         }
 
-        return p == null ? null : p.getMembers().stream()
-                .filter(m -> createMemberId(p, m).memberEquals(clientId))
+        return p.flatMap(params -> params.getMembers().stream()
+                .filter(m -> createMemberId(p.get(), m).memberEquals(clientId))
                 .map(SharedParameters.Member::getName)
                 .findFirst()
-                .orElse(null);
+        ).orElse(null);
     }
 
     @Override
@@ -208,17 +198,18 @@ GlobalGroupId.Conf createGlobalGroupId(SharedParameters.GlobalGroup globalGroup,
 
     @Override
     public String getGlobalGroupDescription(GlobalGroupId globalGroupId) {
-        SharedParameters p;
+        Optional<SharedParameters> p;
         try {
-            p = confDir.getShared(globalGroupId.getXRoadInstance());
+            p = confDir.findShared(globalGroupId.getXRoadInstance());
         } catch (Exception e) {
             throw new CodedException(X_INTERNAL_ERROR, e);
         }
 
-        return p == null ? null : p.getGlobalGroups().stream()
+        return p.flatMap(params -> params.getGlobalGroups().stream()
                 .filter(g -> g.getGroupCode().equals(globalGroupId.getGroupCode()))
                 .map(SharedParameters.GlobalGroup::getDescription)
-                .findFirst().orElse(null);
+                .findFirst()
+        ).orElse(null);
     }
 
     @Override
@@ -232,7 +223,7 @@ public Set<String> getMemberClasses(String... instanceIdentifiers) {
     @Override
     public Collection<String> getProviderAddress(ClientId clientId) {
         if (clientId == null) {
-            return null;
+            return Collections.emptySet();
         }
 
         SharedParameters p = getSharedParameters(clientId.getXRoadInstance());
@@ -349,7 +340,7 @@ public X509Certificate getCaCert(String instanceIdentifier,
     public List<X509Certificate> getAllCaCerts() {
         return getSharedParameters().stream()
                 .flatMap(p -> p.getSubjectsAndCaCerts().values().stream())
-                .collect(Collectors.toList());
+                .toList();
     }
 
     @Override
@@ -415,11 +406,9 @@ public X509Certificate[] getAuthTrustChain() {
     }
 
     @Override
-    public SecurityServerId.Conf getServerId(X509Certificate cert)
-            throws Exception {
-        String b64 = encodeBase64(certHash(cert));
-
+    public SecurityServerId.Conf getServerId(X509Certificate cert) throws Exception {
         for (SharedParameters p : getSharedParameters()) {
+            String b64 = encodeBase64(calculateCertHash(p, cert));
             SharedParameters.SecurityServer server = p.getServerByAuthCert().get(b64);
             if (server != null) {
                 return SecurityServerId.Conf.create(
@@ -432,27 +421,42 @@ public SecurityServerId.Conf getServerId(X509Certificate cert)
         return null;
     }
 
+    private byte[] calculateCertHash(SharedParameters p, X509Certificate cert)
+            throws CertificateEncodingException, IOException, OperatorCreationException {
+        Integer version = VersionedConfigurationDirectory.getVersion(
+                Path.of(confDir.getPath().toString(), p.getInstanceIdentifier(), ConfigurationConstants.FILE_NAME_SHARED_PARAMETERS)
+        );
+        if (version != null && version > 2) {
+            return certHash(cert.getEncoded());
+        } else {
+            return certSha1Hash(cert.getEncoded());
+        }
+    }
+
     @Override
     public ClientId getServerOwner(SecurityServerId serverId) {
         for (SharedParameters p : getSharedParameters()) {
-            SharedParameters.SecurityServer server = p.getSecurityServersById()
-                    .get(serverId);
+            SharedParameters.SecurityServer server = p.getSecurityServersById().get(serverId);
             if (server != null) {
                 return server.getOwner();
             }
         }
-
         return null;
     }
 
     @Override
-    public boolean authCertMatchesMember(X509Certificate cert,
-            ClientId memberId) throws Exception {
-        byte[] inputCertHash = certHash(cert);
-        return getSharedParameters().stream()
-                .map(p -> p.getMemberAuthCerts().get(memberId))
-                .filter(Objects::nonNull).flatMap(Collection::stream)
-                .anyMatch(h -> Arrays.equals(inputCertHash, h));
+    public boolean authCertMatchesMember(X509Certificate cert, ClientId memberId)
+            throws CertificateEncodingException, IOException, OperatorCreationException {
+        for (SharedParameters p : getSharedParameters()) {
+            byte[] inputCertHash = calculateCertHash(p, cert);
+            boolean match = Optional.ofNullable(p.getMemberAuthCerts().get(memberId)).stream()
+                    .flatMap(Collection::stream)
+                    .anyMatch(h -> Arrays.equals(inputCertHash, h));
+            if (match) {
+                return true;
+            }
+        }
+        return false;
     }
 
     @Override
@@ -461,7 +465,7 @@ public Collection<ApprovedCAInfo> getApprovedCAs(
         return getSharedParameters(instanceIdentifier).getApprovedCAs()
             .stream()
             .map(this::createApprovedCAInfo)
-            .collect(Collectors.toList());
+            .toList();
     }
 
     private ApprovedCAInfo createApprovedCAInfo(SharedParameters.ApprovedCA ca) {
@@ -504,7 +508,7 @@ public SignCertificateProfileInfo getSignCertificateProfileInfo(
     public List<String> getApprovedTspUrls(String instanceIdentifier) {
         return getSharedParameters(instanceIdentifier).getApprovedTSAs()
                 .stream().map(SharedParameters.ApprovedTSA::getUrl)
-                .collect(Collectors.toList());
+                .toList();
     }
 
     @Override
@@ -527,7 +531,7 @@ public List<X509Certificate> getTspCertificates() throws Exception {
                 .map(SharedParameters.ApprovedTSA::getCert)
                 .filter(Objects::nonNull)
                 .map(CryptoUtils::readCertificate)
-                .collect(Collectors.toList());
+                .toList();
     }
 
     @Override
@@ -545,7 +549,7 @@ public boolean isSubjectInGlobalGroup(ClientId subjectId, GlobalGroupId groupId)
     }
 
     Optional<SharedParameters.GlobalGroup> findGlobalGroup(GlobalGroupId groupId) {
-        Optional<SharedParameters> sharedParameters = Optional.ofNullable(confDir.getShared(groupId.getXRoadInstance()));
+        Optional<SharedParameters> sharedParameters = confDir.findShared(groupId.getXRoadInstance());
         return sharedParameters.flatMap(params -> params.getGlobalGroups().stream()
                         .filter(g -> g.getGroupCode().equals(groupId.getGroupCode()))
                         .findFirst());
@@ -573,7 +577,7 @@ public boolean existsSecurityServer(SecurityServerId securityServerId) {
     public List<X509Certificate> getVerificationCaCerts() {
         return getSharedParameters().stream()
                 .flatMap(p -> p.getVerificationCaCerts().stream())
-                .collect(Collectors.toList());
+                .toList();
     }
 
     @Override
@@ -610,33 +614,27 @@ public int getTimestampingIntervalSeconds() {
     // ------------------------------------------------------------------------
 
     protected PrivateParameters getPrivateParameters() {
-        PrivateParameters p;
+        Optional<PrivateParameters> p;
         try {
-            p = confDir.getPrivate(getInstanceIdentifier());
+            p = confDir.findPrivate(getInstanceIdentifier());
         } catch (Exception e) {
             throw new CodedException(X_INTERNAL_ERROR, e);
         }
 
-        if (p == null) {
-            throw new CodedException(X_INTERNAL_ERROR, "Private params for instance identifier %s not found", getInstanceIdentifier());
-        }
-
-        return p;
+        return p.orElseThrow(() ->
+                new CodedException(X_INTERNAL_ERROR, "Private params for instance identifier %s not found", getInstanceIdentifier()));
     }
 
     protected SharedParameters getSharedParameters(String instanceIdentifier) {
-        SharedParameters p;
+        Optional<SharedParameters> p;
         try {
-            p = confDir.getShared(instanceIdentifier);
+            p = confDir.findShared(instanceIdentifier);
         } catch (Exception e) {
             throw new CodedException(X_INTERNAL_ERROR, e);
         }
 
-        if (p == null) {
-            throw new CodedException(X_INTERNAL_ERROR, "Shared params for instance identifier %s not found", instanceIdentifier);
-        }
-
-        return p;
+        return p.orElseThrow(() ->
+                new CodedException(X_INTERNAL_ERROR, "Shared params for instance identifier %s not found", instanceIdentifier));
     }
 
     protected List<SharedParameters> getSharedParameters(
@@ -647,7 +645,7 @@ protected List<SharedParameters> getSharedParameters(
 
         return Arrays.stream(instanceIdentifiers)
                 .map(this::getSharedParameters)
-                .collect(Collectors.toList());
+                .toList();
     }
 
     private CertificateProfileInfoProvider getCertProfile(
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/ClientsApiControllerIntegrationTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/ClientsApiControllerIntegrationTest.java
index a7ae77565b..257981f0ca 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/ClientsApiControllerIntegrationTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/ClientsApiControllerIntegrationTest.java
@@ -95,6 +95,8 @@
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
 import static org.mockito.Mockito.when;
+import static org.niis.xroad.securityserver.restapi.util.CertificateTestUtils.MOCK_CERTIFICATE_HASH;
+import static org.niis.xroad.securityserver.restapi.util.CertificateTestUtils.WIDGITS_CERTIFICATE_HASH;
 import static org.niis.xroad.securityserver.restapi.util.CertificateTestUtils.getResource;
 import static org.niis.xroad.securityserver.restapi.util.DeviationTestUtils.assertErrorWithMetadata;
 import static org.niis.xroad.securityserver.restapi.util.DeviationTestUtils.assertErrorWithoutMetadata;
@@ -281,7 +283,7 @@ public void getClientSignCertificates() {
         assertEquals(Integer.valueOf(3), onlyCertificate.getCertificateDetails().getVersion());
         assertEquals("SHA512withRSA", onlyCertificate.getCertificateDetails().getSignatureAlgorithm());
         assertEquals("RSA", onlyCertificate.getCertificateDetails().getPublicKeyAlgorithm());
-        assertEquals("A2293825AA82A5429EC32803847E2152A303969C", onlyCertificate.getCertificateDetails().getHash());
+        assertEquals(MOCK_CERTIFICATE_HASH, onlyCertificate.getCertificateDetails().getHash());
         assertTrue(onlyCertificate.getCertificateDetails().getSignature().startsWith("314b7a50a09a9b74322671"));
         assertTrue(onlyCertificate.getCertificateDetails().getRsaPublicKeyModulus().startsWith("9d888fbe089b32a35f58"));
         assertEquals(Integer.valueOf(65537), onlyCertificate.getCertificateDetails().getRsaPublicKeyExponent());
@@ -403,9 +405,7 @@ public void findTlsCert() {
         assertEquals(HttpStatus.OK, findResponse.getStatusCode());
         assertEquals(CertificateTestUtils.getWidgitsCertificateHash(), findResponse.getBody().getHash());
         // case insensitive
-        findResponse =
-                clientsApiController.getClientTlsCertificate(TestUtils.CLIENT_ID_SS1,
-                        "63a104b2bac14667873c5dbd54be25bc687b3702");
+        findResponse = clientsApiController.getClientTlsCertificate(TestUtils.CLIENT_ID_SS1, WIDGITS_CERTIFICATE_HASH);
         assertEquals(HttpStatus.OK, findResponse.getStatusCode());
         assertEquals(CertificateTestUtils.getWidgitsCertificateHash(), findResponse.getBody().getHash());
         // not found
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokenCertificatesApiControllerIntegrationTest.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokenCertificatesApiControllerIntegrationTest.java
index dfd7df78ea..0535d50233 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokenCertificatesApiControllerIntegrationTest.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/openapi/TokenCertificatesApiControllerIntegrationTest.java
@@ -438,7 +438,7 @@ private static void assertSignCertificateDetails(TokenCertificate tokenCertifica
         assertEquals(Integer.valueOf(3), certificateDetails.getVersion());
         assertEquals("SHA512withRSA", certificateDetails.getSignatureAlgorithm());
         assertEquals("RSA", certificateDetails.getPublicKeyAlgorithm());
-        assertEquals("A2293825AA82A5429EC32803847E2152A303969C", certificateDetails.getHash());
+        assertEquals("FAAFA4860332289F3083DE6BF955D4DF9AEEFB2B33CBCC66BD0EF27AB05C708D", certificateDetails.getHash());
         assertTrue(certificateDetails.getSignature().startsWith("314b7a50a09a9b74322671"));
         assertTrue(certificateDetails.getRsaPublicKeyModulus().startsWith("9d888fbe089b32a35f58"));
         assertEquals(Integer.valueOf(65537), certificateDetails.getRsaPublicKeyExponent());
@@ -457,7 +457,7 @@ private static void assertAuthCertificateDetails(TokenCertificate tokenCertifica
         assertEquals(Integer.valueOf(3), certificateDetails.getVersion());
         assertEquals("SHA256withRSA", certificateDetails.getSignatureAlgorithm());
         assertEquals("RSA", certificateDetails.getPublicKeyAlgorithm());
-        assertEquals("BA6CCC3B13E23BB1D40FD17631B7D93CF8334C0E", certificateDetails.getHash());
+        assertEquals("54E2586715084EBF37FE5CA8B761A208CD0D710699FC866A49684D8F62DA28D2", certificateDetails.getHash());
         assertTrue(certificateDetails.getSignature().startsWith("a11c4675cf4e2fa1664464"));
         assertTrue(certificateDetails.getRsaPublicKeyModulus().startsWith("92e952dfc1d84648c2873"));
         assertEquals(Integer.valueOf(65537), certificateDetails.getRsaPublicKeyExponent());
diff --git a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java
index 36e343f167..56f1d839a3 100644
--- a/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java
+++ b/src/security-server/admin-service/application/src/test/java/org/niis/xroad/securityserver/restapi/util/CertificateTestUtils.java
@@ -56,8 +56,8 @@ public final class CertificateTestUtils {
 
     // this is base64 encoded DER certificate from common-util/test/configuration-anchor.xml
 
-    public static final String MOCK_CERTIFICATE_HASH = "A2293825AA82A5429EC32803847E2152A303969C";
-    public static final String MOCK_AUTH_CERTIFICATE_HASH = "BA6CCC3B13E23BB1D40FD17631B7D93CF8334C0E";
+    public static final String MOCK_CERTIFICATE_HASH = "FAAFA4860332289F3083DE6BF955D4DF9AEEFB2B33CBCC66BD0EF27AB05C708D";
+    public static final String MOCK_AUTH_CERTIFICATE_HASH = "54E2586715084EBF37FE5CA8B761A208CD0D710699FC866A49684D8F62DA28D2";
 
     /**
      * Version: V3
@@ -88,7 +88,7 @@ public final class CertificateTestUtils {
                             + "lbEK6otefyJPn5vVwjz/+ywyqzx8YJM0vPkD/PghmJxunsJObbvif9FNZaxOaEzI9QDw"
                             + "0nWzbgvsCAqdcHqRjMEQwtU75fzfg==");
 
-    public static final String WIDGITS_CERTIFICATE_HASH = "63A104B2BAC14667873C5DBD54BE25BC687B3702";
+    public static final String WIDGITS_CERTIFICATE_HASH = "397E0AB871F42C48FCD718F4AC78B86DDCFE67CD80C75B31CEC910C64226485D";
 
     /**
      * Version: V3
diff --git a/src/security-server/admin-service/ui/src/components/certificate/CertificateHash.vue b/src/security-server/admin-service/ui/src/components/certificate/CertificateHash.vue
index 6f63e4b634..63cd7f65a0 100644
--- a/src/security-server/admin-service/ui/src/components/certificate/CertificateHash.vue
+++ b/src/security-server/admin-service/ui/src/components/certificate/CertificateHash.vue
@@ -45,7 +45,7 @@ export default defineComponent({
 
 <style lang="scss" scoped>
 .cert-hash {
-  font-size: 20px;
+  font-size: 16px;
   font-weight: 500;
   letter-spacing: 0.5px;
   line-height: 30px;
diff --git a/src/security-server/admin-service/ui/src/locales/en.json b/src/security-server/admin-service/ui/src/locales/en.json
index f47ed719cb..928cd2cfbb 100644
--- a/src/security-server/admin-service/ui/src/locales/en.json
+++ b/src/security-server/admin-service/ui/src/locales/en.json
@@ -163,7 +163,7 @@
     "disableSuccess": "Certificate has been disabled",
     "disabled": "disabled",
     "expires": "Expires",
-    "hashInfo": "Hash (SHA-1)",
+    "hashInfo": "Hash (SHA-256)",
     "inUse": "in use",
     "keyUsage": {
       "CRL_SIGN": "CRL Sign",
diff --git a/src/security-server/openapi-model/src/main/resources/META-INF/openapi-definition.yaml b/src/security-server/openapi-model/src/main/resources/META-INF/openapi-definition.yaml
index f8b74b4488..d2a542a339 100644
--- a/src/security-server/openapi-model/src/main/resources/META-INF/openapi-definition.yaml
+++ b/src/security-server/openapi-model/src/main/resources/META-INF/openapi-definition.yaml
@@ -399,13 +399,13 @@ paths:
       parameters:
         - in: path
           name: hash
-          description: SHA-1 hash of the certificate
+          description: SHA-256 hash of the certificate
           required: true
           schema:
             type: string
             format: text
             minLength: 1
-            maxLength: 40
+            maxLength: 64
       responses:
         '200':
           description: token certificate
@@ -436,13 +436,13 @@ paths:
       parameters:
         - in: path
           name: hash
-          description: SHA-1 hash of the certificate
+          description: SHA-256 hash of the certificate
           required: true
           schema:
             type: string
             format: text
             minLength: 1
-            maxLength: 40
+            maxLength: 64
       responses:
         '204':
           description: deletion was successful
@@ -475,13 +475,13 @@ paths:
       parameters:
         - in: path
           name: hash
-          description: SHA-1 hash of the certificate
+          description: SHA-256 hash of the certificate
           required: true
           schema:
             type: string
             format: text
             minLength: 1
-            maxLength: 40
+            maxLength: 64
       responses:
         '204':
           description: request was successful
@@ -507,13 +507,13 @@ paths:
       parameters:
         - in: path
           name: hash
-          description: SHA-1 hash of the certificate
+          description: SHA-256 hash of the certificate
           required: true
           schema:
             type: string
             format: text
             minLength: 1
-            maxLength: 40
+            maxLength: 64
       responses:
         '204':
           description: certificate was deactivated
@@ -541,13 +541,13 @@ paths:
       parameters:
         - in: path
           name: hash
-          description: SHA-1 hash of the certificate
+          description: SHA-256 hash of the certificate
           required: true
           schema:
             type: string
             format: text
             minLength: 1
-            maxLength: 40
+            maxLength: 64
       responses:
         '201':
           description: the imported certificate
@@ -588,13 +588,13 @@ paths:
       parameters:
         - in: path
           name: hash
-          description: SHA-1 hash of the certificate
+          description: SHA-256 hash of the certificate
           required: true
           schema:
             type: string
             format: text
             minLength: 1
-            maxLength: 40
+            maxLength: 64
       responses:
         '200':
           description: possible actions that can be done on the certificate
@@ -624,13 +624,13 @@ paths:
       parameters:
         - in: path
           name: hash
-          description: SHA-1 hash of the certificate
+          description: SHA-256 hash of the certificate
           required: true
           schema:
             type: string
             format: text
             minLength: 1
-            maxLength: 40
+            maxLength: 64
       requestBody:
         content:
           application/json:
@@ -663,13 +663,13 @@ paths:
       parameters:
         - in: path
           name: hash
-          description: SHA-1 hash of the certificate
+          description: SHA-256 hash of the certificate
           required: true
           schema:
             type: string
             format: text
             minLength: 1
-            maxLength: 40
+            maxLength: 64
       responses:
         '204':
           description: request was successful
@@ -713,13 +713,13 @@ paths:
       parameters:
         - in: path
           name: hash
-          description: SHA-1 hash of the certificate
+          description: SHA-256 hash of the certificate
           required: true
           schema:
             type: string
             format: text
             minLength: 1
-            maxLength: 40
+            maxLength: 64
       responses:
         '204':
           description: request was successful
@@ -1609,13 +1609,13 @@ paths:
             maxLength: 1023
         - in: path
           name: hash
-          description: SHA-1 hash of the certificate
+          description: SHA-256 hash of the certificate
           required: true
           schema:
             type: string
             format: text
             minLength: 1
-            maxLength: 40
+            maxLength: 64
       responses:
         '200':
           description: certificate details
@@ -1653,13 +1653,13 @@ paths:
             maxLength: 1023
         - in: path
           name: hash
-          description: SHA-1 hash of the certificate
+          description: SHA-256 hash of the certificate
           required: true
           schema:
             type: string
             format: text
             minLength: 1
-            maxLength: 40
+            maxLength: 64
       responses:
         '204':
           description: certificate deletion was successful
@@ -5659,10 +5659,10 @@ components:
         hash:
           type: string
           format: text
-          description: certificate SHA-1 hash
+          description: certificate SHA-256 hash
           example: 1234567890ABCDEF
           minLength: 1
-          maxLength: 40
+          maxLength: 64
         key_usages:
           type: array
           description: certificate key usage array
diff --git a/src/security-server/system-test/src/intTest/resources/behavior/03-globalconf/3000-global-conf-sign-key-rotation.feature b/src/security-server/system-test/src/intTest/resources/behavior/03-globalconf/3000-global-conf-sign-key-rotation.feature
index 4ba3ff8727..4e91502cf1 100644
--- a/src/security-server/system-test/src/intTest/resources/behavior/03-globalconf/3000-global-conf-sign-key-rotation.feature
+++ b/src/security-server/system-test/src/intTest/resources/behavior/03-globalconf/3000-global-conf-sign-key-rotation.feature
@@ -3,6 +3,6 @@
 Feature: 3000 - SS: Global Conf
 
   Scenario: Global conf sign keys rotation
-    Given Security Server's global conf expiration date is equal to 2033-11-21T08:27:35Z
+    Given Security Server's global conf expiration date is equal to 2033-11-28T21:39:05Z
     When Central Server's global conf is updated by a new active signing key
-    Then Security Server's global conf expiration date is equal to 2033-11-21T08:28:35Z
+    Then Security Server's global conf expiration date is equal to 2033-11-28T21:40:05Z
diff --git a/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231121222055281623000/fetchinterval-params.xml b/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231129113225683586000/fetchinterval-params.xml
similarity index 100%
rename from src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231121222055281623000/fetchinterval-params.xml
rename to src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231129113225683586000/fetchinterval-params.xml
diff --git a/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231121222055281623000/private-params.xml b/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231129113225683586000/private-params.xml
similarity index 100%
rename from src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231121222055281623000/private-params.xml
rename to src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231129113225683586000/private-params.xml
diff --git a/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231121222055281623000/shared-params.xml b/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231129113225683586000/shared-params.xml
similarity index 86%
rename from src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231121222055281623000/shared-params.xml
rename to src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231129113225683586000/shared-params.xml
index 3ba563f57c..cca83b4407 100644
--- a/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231121222055281623000/shared-params.xml
+++ b/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/20231129113225683586000/shared-params.xml
@@ -4,8 +4,8 @@
     <source>
         <address>cs</address>
         <internalVerificationCert>MIICqTCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAOMQwwCgYDVQQDDANOL0EwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAOMQwwCgYDVQQDDANOL0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnw42v+CwPNmI7j24C0UHsNfhxDKa4rkpgqk4iKnQ5CyzSxveodbduAz+h2lHOHTpInOgtiYd8CUTJU/A9U0JWT8WA4yOWeALxgrRlAmR944bwTDKeGHvJniU7eR9hP0mKdXxPUtZOP0ERe6nqHIWG/f2NAX2Sx6dgWvo9NBnXZ/3lQagaUHk4mztVfk4jN5EzBqkgr3/2oXkX/O/M3hU2OqNoQSlHNbuTEkowkRWkU7UGKbkEuS+ldmbYWvTCeaQsJnjN+KvDyqTFex6UXkr69l7kMDuNlYxrsEfXc+5Yy6SZeglWIgiK+cgra9E7Tf6EJmZQwHkMa00xT+4oAk7/AgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIGQDANBgkqhkiG9w0BAQ0FAAOCAQEAMUN65mWqf8/PyIcqYq6OME0DNAeRn30I7/icLhuumGEHcdYSszeE89AtRi+KEFu1lKj4rAn6Ha+60JP/3bIMtq807r1V6RTw62ZHIQTbB2hXqQTItbWIcnNqUu0RVeqtE0KLkz1K/sy++UpYabkl+sWQm4Q7rtIrGcGoMI997k2hZ1vycfHP/BJ6zv1hBi44al8vwQ+b63xMcJXGLUZUr0cMPBIwwndEUN1noeetb+JEMoBRYgsDcOpXzAdZObLUoT+SEwUs9h9ZH01W0Vvz9X1QaGEwe1+Lm7HJxGOODjC+oPSSbQ2yx+V3OMq31Zji9GeTIw6l5iT+wvykjTiyXA==</internalVerificationCert>
-        <internalVerificationCert>MIIC2DCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAdMRswGQYDVQQDDBJpbnRlcm5hbFNpZ25pbmdLZXkwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJpbnRlcm5hbFNpZ25pbmdLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1j5/OWAjxaKAS5jjmUAe/+f3/h+KhdVMqS5YPQm0DQJq1X1rdkz7BeJ7so6g6mij/NjcbW3i/sqs8KT/Pzw3EEO6gcOYojIrumcmk2q0gbD15sTtieTc7We4N5tgu8Y5RUIlVntriKg0yyaReURDc1j+40YQVsXmnUI9awzRoLudAkfh4t9fblWg+OQ8neu73fpb6XXyPcACFowLbvmJXZcX33rFqguO7t+ulC3oaBwc0IVrmR+VwSDLS9jTzzItz9f3DVFRUM2rdQ1HMTYYZltREn12Wn9OZ7q8LhElnrp8mO/HccBOvqlyKAfLJq86xS+2qH04IIr81Pz/76cJxAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQCIdBxRvLYCd5KwuXxusH6DlXf/+s7cZUwQEJaFnWeUG8tsVWVCcUixi4bJcigIsJSP+UKY27rnGe0XDtT4wUvvtrZPmtxIv6tIecDS8/Sq53+3EcR2Apdaqb9dt332RGHPZSE1NWS84C2YB9RE17sSUv10fkqYmLUZ6TJWfkup1iQfxNtRTbzDya4+ml7xA1WKLeNwNpFREBK7xjUlHexUI/jvs8uUR1tkTy9e8z9Wp3PnxAWuxn7kbSVBuXmemsyffogKFqryIWpEcf1vATyXPT3uaLs/vEbJHaBsKkFUd+OAd8mNoromRx+8xvErfmnxvjfr3t4I2QzFFo3Yoqtx</internalVerificationCert>
-        <externalVerificationCert>MIIC2DCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAdMRswGQYDVQQDDBJleHRlcm5hbFNpZ25pbmdLZXkwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJleHRlcm5hbFNpZ25pbmdLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDMsH4ke1BHZ9suOHQTteJ3Wfq0XVp9McOaZbMRQQMw6RcWlHnoz2dd9s2jLEM2REzxHBnAbcF3imlAqV0XgKE4TbOy4HZVmhDmzlMNmOySxR1oijke6pM9bkQFYd3Ml/0g69Cj5p5urWxRnzfeFCYlMkCNKOem1aiUq8OrjyKbYGn6VxDmzatDUi9UzQJ2ecGhTIfJetozhWuBJv12rXHx4fcMrz2uyLiSeR7BOAzBbQA7XCbGoavuoOZLl6AS0dmubz8ukTcMGMuqJFdq7ClpkajLGztnQFtujcG94DKza7/bX0jcUTPIWaXLPuoPJztV3N/CDXzYFeWG+TkTXMnAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQCMNLB2zkc5VnVC2bVzKwLo26r0PZ5UH2vdZ16S1STS1g52Akufpq55vaOSCob9+DDSNo6717FtLDIozxEN0BiuOZgqUAvEqbNK7hpK8C/knLKv2y/APug2AyXkeSetROIkGusKjU1gMVhT68XOLDcglpMTFkbkKOhg7UwrmHtkTf89fWOLi2qCeWLEo/KOCAXAayumbtvWlAiULO0DzZ4rPled3wOGS7nPNwn8BzBl+iE053ILxLG9mDi+lFQhuh65EOXK8Ibv0ouix/EPT9dZKqnldPU8e9HeSsGRKrfknUDF43MdOrFL0rkucKPsHAJaRJZyILpROX8DAJS5zbAo</externalVerificationCert>
+        <internalVerificationCert>MIIC2DCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAdMRswGQYDVQQDDBJpbnRlcm5hbFNpZ25pbmdLZXkwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJpbnRlcm5hbFNpZ25pbmdLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdKaVKY+rfzXNrMLPDa3dbSmKbo5Lq2V3y/3AaAT8diQNLyt5/wYpemdiL2A+tPGMz0BvnZfRaHoZ0v3TUSoXLRz6Z5qkS/bUQgFKKV7IcCD+59MsA71DDdmIRQxmWK8exis+UUu0Iz0YyCzQ2rZoZrBAAakQDhq2OI8E6isLnaYMZQJtCgkY69x/pn2dOdv4lg6TTWvnisGFTlHqGeIii7qdjguNpDub5gNSmvGvqdZjKpkvV+EZbdEYpwMIPgnDz41ho5Vcz3/XAOMJ4EHutV+nl582fCFPG9Ov/ABdxP2DtmgX+xVLM9llROz41pF0VUChUm+/emtSW3jZpiqMdAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQCFtX+p5uNDfTsNAhJUwWWWwOzHcYdB5Gn0D2cUw04CwCtbmxT3p8icLQ59qT7DhfK2YdAFFBy2eL64qHrTTUfQfs0TnzSMz+W5LTDPDEowx8dlzOb/fDW7FBzwO88T9r1CORo5V1faVggUpbMOzpDo6arcNdRZRH9yXXFX1jFjzApRGCqUAEiZRW07sBYaqbcHBZjyzSFgsWOp2j2xwm0BcCVKO0ir20hqIi8mQgg5nFTgCGQ3y163gwTWGZFCgJxb9MDhfT+Iw2w2lSuDvD03kgBYfZOQ14MLXmrDP24bXbgk2eXeaBPqooCHT2LakUFy8CLQjkQ8yYnOfW9ypK6x</internalVerificationCert>
+        <externalVerificationCert>MIIC2DCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAdMRswGQYDVQQDDBJleHRlcm5hbFNpZ25pbmdLZXkwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJleHRlcm5hbFNpZ25pbmdLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqvu5l/W8JATPxOIJv2OQggZazws9jcSneTzOsS3yLwRD/00BhVfAW3dtiGkxWwmT60/lG6c4TbE/uKoCjQQKN5BtEoezve+tGA2OgxHz7rNdih4bDVt1Jt+MCHLwVnfwMGr7HRXFP5DzMOoD91kAA1lURBl6i65MvFde4w/h7bLCNe9PEehXtq59q9kpaEGK58bVCCUp4Y/r0xvAadLO4wqFnV6q1faAXvzW9rLMb+VUtBDvEDQUaanJ9pqd1f25DfpdwxJdPZAZB8OlzlyNN+EeCp7Ik73INCX+AIG052X8ORxDtiEcmCG7YcQ3aR5bJJrKgc+K6AeIFcSkTi3C7AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQCoi8cN7dR2uy+FJG27FVVXpzsEVG1I13ZoFxauS5ZSJ4l/jqB/ptcVxdjZMS9hkZxDRBRkkV6SjL9XfVvIRRYG1t91Mk0krGWICycGs8ObkoD5tF6Zje1+xnHsGFEjs4aqJE2fhbm8ixoMIRKjEWZ4yIdhpSaEDvnB+SpLnhn9WInbicr+fs6lb9RuB+ElDg93ht7eZYBep8MmgKtgfITj6/1Lgqd2l2lr3/jaeba/j0MmB8ljDfU1s3RkfJWxjqfnJFWxdFX7LCIbjrzEtYq+Lk0CLHnmnNkykWGG3xFaK4bc7JLi7Abz4GhktfFRgsxwh5kZxD0Cs9YtMB+mS2MV</externalVerificationCert>
         <externalVerificationCert>MIICqTCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAOMQwwCgYDVQQDDANOL0EwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAOMQwwCgYDVQQDDANOL0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCBUNj9zuGBZYgiQ1q4jxePy7Cpe8bbr37+ySnjkQKl8D0G/6vIrPZPqz2RRk1QaKmV1wkFlcCksyu+0QVPnpmjRY6AlkWRRCciT21jCHpCef9kwjT++NwUAV8gJ+soIqasWUCZpJPEDkCVrB+/jO22Wltdzpqmj3yX2N1zRIG6ddqoOIez5W0c2sty7w1sHnC+adFoBIWsZctNHfLlInKEkStTa78XTrK8EnjR8qzpZVYjh0WxOZvN7oqNZDdUgeG3gB29TLpj2o4H/rTbUlgJT0gBS/AHIxMzRPUbMVaeDNGap6Ofje/8Jc1tbOdL5wjYc9pYbU5pwz/oSGMI6taBAgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIGQDANBgkqhkiG9w0BAQ0FAAOCAQEAUVM+woAREwkKFY1uEZVOSHNy1SlzrEJD3gPm/ui+Y93LvGrCSrwVJVUqd3dkb9IsHD6Jev/SXjEF/phGVVy0WHS8EXJpkLGdV/lRl/TnhZvQ6k7q5amUd43bxIHb3Jpn4z3fpWgX07/op3SOWSBSKVOD4mrhIQQkwJQKTSkjFDXrJEijYcyT+rgUUeOWiNSnbi7nGnBgJlIA5ff1ojmb9kBiFUNS3tHYG0heEkX46rs6Al9gqjZtaiDK6XkZwlkqx769LzxRlnlrULzQpW1SwEyEQdVzZP/kqSsqfyMNmeokO1hk+FtFvoRi3XG1uEYJO+M8oPvo99+Gyu45IQrmig==</externalVerificationCert>
     </source>
     <approvedCA>
@@ -67,7 +67,7 @@
         <owner>id0</owner>
         <serverCode>SS0</serverCode>
         <address>ss0</address>
-        <authCertHash>5+C5Gr24Dh912x5haKGOyZuK2KI=</authCertHash>
+        <authCertHash>enRxKzBGb0q7sUJa8Hx0A5aHmQwCa1HzWNFrN3ZDDJw=</authCertHash>
         <client>id1</client>
         <client>id7</client>
     </securityServer>
@@ -75,7 +75,7 @@
         <owner>id4</owner>
         <serverCode>SS1</serverCode>
         <address>ss1</address>
-        <authCertHash>5+C5Gr24Dh912x5haKGOyZuK2KI=</authCertHash>
+        <authCertHash>enRxKzBGb0q7sUJa8Hx0A5aHmQwCa1HzWNFrN3ZDDJw=</authCertHash>
         <client>id5</client>
         <client>id6</client>
         <client>id3</client>
diff --git a/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/externalconf b/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/externalconf
index c38140eb99..f52b703aa4 100644
--- a/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/externalconf
+++ b/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/externalconf
@@ -1,27 +1,27 @@
-Content-Type: multipart/related; charset=UTF-8; boundary=AWQc80yylFzUQ5zipnXX
+Content-Type: multipart/related; charset=UTF-8; boundary=7IOBpo4mLF3HAETP34KH
 
---AWQc80yylFzUQ5zipnXX
-Content-Type: multipart/mixed; charset=UTF-8; boundary=uI2H9F0ODOfA2urfK1Gc
+--7IOBpo4mLF3HAETP34KH
+Content-Type: multipart/mixed; charset=UTF-8; boundary=nGfgBjv2ZX12L05rJkuG
 
---uI2H9F0ODOfA2urfK1Gc
-Expire-date: 2033-11-21T08:28:35Z
+--nGfgBjv2ZX12L05rJkuG
+Expire-date: 2033-11-28T21:40:05Z
 Version: 3
 
---uI2H9F0ODOfA2urfK1Gc
+--nGfgBjv2ZX12L05rJkuG
 Content-type: application/octet-stream
 Content-transfer-encoding: base64
 Content-identifier: SHARED-PARAMETERS; instance='CS'
-Content-location: /V3/20231121222055281623000/shared-params.xml
+Content-location: /V3/20231129113225683586000/shared-params.xml
 Hash-algorithm-id: http://www.w3.org/2001/04/xmlenc#sha512
 
-0rCJjPxU88riiyl7UF+QzzEvyKXfq+OhO4e8y61FTCwU63he2rXhScTW8hqKb3e4SMr3VXc0eDWlA7EXFpIksQ==
---uI2H9F0ODOfA2urfK1Gc--
+QKsJGKPADhyORTvUtLWrW3keNxS+vPkT4tSV9Vl97XXhw7IzMBCmi794fLOIlTSJ5AGnsxGZnZa8St1Vo3AIYg==
+--nGfgBjv2ZX12L05rJkuG--
 
---AWQc80yylFzUQ5zipnXX
+--7IOBpo4mLF3HAETP34KH
 Content-Type: application/octet-stream
 Content-Transfer-Encoding: base64
 Signature-Algorithm-Id: http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
-Verification-certificate-hash: wFaBh6LDj/0Y/xa5lEUtfC58k/Yo8aSMmhunp+JKjy4qtAlR64j8mI1Hc3I+qveHBTCiymLQRmjNJ01WC/T3jw==; hash-algorithm-id="http://www.w3.org/2001/04/xmlenc#sha512"
+Verification-certificate-hash: a7h8h3FWLnEOMhXHx/OrKiX7LyZUfnPsulsb5DHGivUUXHCbwZvicebzc/rW0AuXARc7wWdkfLtXM+wFnqJuHA==; hash-algorithm-id="http://www.w3.org/2001/04/xmlenc#sha512"
 
-v98Yrui8f5OKGY88AKSjzJiHwRRzKJKg0X4XCYlLCtROVhafqlpbWPtATVjhVO2BO87gvz98r8cQP52wHPelUQtNM/J5ff4xkacxvOKBgPBnFV0772ybKCqyJjGSEqejNjZhoqqy+qSaMm02HivY2K9+6AumtO9YMmIoWKWWhj8DZMpZdV7G0No0e/3HeviHsJ0GAUvMRK6GMXtmbP+OWtq6+Jnxoj8RVUl8BmFtsHUh5pFn71HZL0wPHNApTfEjKIxrCUfbeWwf1c8Gf9l+zIKxRyMH3ubST+M+cSyQcFJ6t0+y6/kbXcu7NvG2u5hqEXmznzHsK6o6WlI5rZI2lQ==
---AWQc80yylFzUQ5zipnXX--
+H9WjpnY7HLg17dcT7tVA44lh8b0DT5BXQ1uuQLRnDl+Q186yabPW5PIfgw7xMBPu9Fk0meUkVFGIwKYTgCbkGwQQmYKNNYSKrKa54mObDQQ8veZt/0ABmgyHK+P1O9AypzFEumMehGyfjUEhZ2ZCjFNTyWaf+DmedtePtiy7VGlXZI4gWKyzoAcdKiZe5312v+clMU380FDbR/+MKEc7wAHrHvYxeAZg0jePzhLaGPa3HJnx3sEBT750PvlS40BZj8X+2crMN1M56xhb2z1OvmALYwE4LR+UANUbVrI52FCKOUcjcfCR5S5+R/XsXXVNPvAOfoGXAUZpkNbjOSaQog==
+--7IOBpo4mLF3HAETP34KH--
diff --git a/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/internalconf b/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/internalconf
index abc0e74fa5..906fbefe86 100644
--- a/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/internalconf
+++ b/src/security-server/system-test/src/intTest/resources/files/global_conf_signed_with_rotated_keys/V3/internalconf
@@ -1,35 +1,35 @@
-Content-Type: multipart/related; charset=UTF-8; boundary=UzsIPZJBRy35y3gr68zV
+Content-Type: multipart/related; charset=UTF-8; boundary=1druIujQ62Zz6U8Cxf5v
 
---UzsIPZJBRy35y3gr68zV
-Content-Type: multipart/mixed; charset=UTF-8; boundary=NrwegbKJRvYspak8Bk8N
+--1druIujQ62Zz6U8Cxf5v
+Content-Type: multipart/mixed; charset=UTF-8; boundary=ZNLSJvTQoNVON6rdSJQh
 
---NrwegbKJRvYspak8Bk8N
-Expire-date: 2033-11-21T08:28:35Z
+--ZNLSJvTQoNVON6rdSJQh
+Expire-date: 2033-11-28T21:40:05Z
 Version: 3
 
---NrwegbKJRvYspak8Bk8N
+--ZNLSJvTQoNVON6rdSJQh
 Content-type: application/octet-stream
 Content-transfer-encoding: base64
 Content-identifier: PRIVATE-PARAMETERS; instance='CS'
-Content-location: /V3/20231121222055281623000/private-params.xml
+Content-location: /V3/20231129113225683586000/private-params.xml
 Hash-algorithm-id: http://www.w3.org/2001/04/xmlenc#sha512
 
 CZdYikpIxQHoYXm0bmBDemWRz9sWlt40a8JjYAe8GQXHXR5wGG0CwmHYqRvO/LbjdtYiRB519ms7ZbvUx1iVSw==
---NrwegbKJRvYspak8Bk8N
+--ZNLSJvTQoNVON6rdSJQh
 Content-type: application/octet-stream
 Content-transfer-encoding: base64
 Content-identifier: SHARED-PARAMETERS; instance='CS'
-Content-location: /V3/20231121222055281623000/shared-params.xml
+Content-location: /V3/20231129113225683586000/shared-params.xml
 Hash-algorithm-id: http://www.w3.org/2001/04/xmlenc#sha512
 
-0rCJjPxU88riiyl7UF+QzzEvyKXfq+OhO4e8y61FTCwU63he2rXhScTW8hqKb3e4SMr3VXc0eDWlA7EXFpIksQ==
---NrwegbKJRvYspak8Bk8N--
+QKsJGKPADhyORTvUtLWrW3keNxS+vPkT4tSV9Vl97XXhw7IzMBCmi794fLOIlTSJ5AGnsxGZnZa8St1Vo3AIYg==
+--ZNLSJvTQoNVON6rdSJQh--
 
---UzsIPZJBRy35y3gr68zV
+--1druIujQ62Zz6U8Cxf5v
 Content-Type: application/octet-stream
 Content-Transfer-Encoding: base64
 Signature-Algorithm-Id: http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
-Verification-certificate-hash: wOy0W+SXQDq8MKrZKmzVe/k+Uv7wkqbIxzwFfUgBcaiY3caQh0TO5ggZVcZfVUgBx4jUFa1FLvNo/Hrio/JLBA==; hash-algorithm-id="http://www.w3.org/2001/04/xmlenc#sha512"
+Verification-certificate-hash: wDH8OifmQ/aDBfbWrWzrwvrXQcpwTwhEpgoYMMPYdBZFVmmjZfjFuHEK8vfbX3dEfyzwmWW1yhYW3LSuEwPpag==; hash-algorithm-id="http://www.w3.org/2001/04/xmlenc#sha512"
 
-CbFHytlfnoNDEZdsVhGgsVUkmpVucF//YpildSYYkc0suQQl7/DR85TkuxT8DGUhnIkZJV1xKFOE4GS8nlRhZ3YFOzhjC26++FSNDmSg7izgSdWsHAikjrfICfkpqw4f7XTtZnvqskhEunY0m69MM0tEDgXqXZ02vG7aDrHe2RsI05FCu42DxQxP+ngzUjN0Sa+PPfLbE6jnM65wdAwg91iKFsqB8JeXEDi3ry1ZTAFq1AJO2/Edkth9PoI7VyNAnCzMHvuVJ999Ex7E/TnCJX/8oYjoSdjWvIDcCBoV1mcgvUmKFhzuc/8IgtLYs+9zX+oRSqRRY05Ewzta04HHuQ==
---UzsIPZJBRy35y3gr68zV--
+Syw4IDStAU+ZBHx0ddPXCRLXwjhXacZH1GTZcTYhy1g6fEyR1GcVIOfcuzFR9pNKPow4qLBGOtYiLFPB+AFoWIA771O17l3+6NNKdQqaA1Zfax3ZmMLmCLIX5+JynBpPYO/lPX/7l3h2nBwNpBm6PPjoJyNFi7AvHudWEkUeVHSuoUXnSuXcxx2zsRW7LGzObHTnFUSuEYwAhrWkQ+CVD/w10I+JFpK8g/SoXQ0YMb8hHIlccqYdexLbiw3oXmB3CJaQf4v3t6LIKWcY1xHna82NDq7lSysd7oHHG/jPSTSdiWgS2+W9cjp86q2rAJLj/olIIlO89HsMk5DkT/MPuQ==
+--1druIujQ62Zz6U8Cxf5v--
diff --git a/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231121221955286271000/fetchinterval-params.xml b/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231129113125682194000/fetchinterval-params.xml
similarity index 100%
rename from src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231121221955286271000/fetchinterval-params.xml
rename to src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231129113125682194000/fetchinterval-params.xml
diff --git a/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231121221955286271000/private-params.xml b/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231129113125682194000/private-params.xml
similarity index 100%
rename from src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231121221955286271000/private-params.xml
rename to src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231129113125682194000/private-params.xml
diff --git a/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231121221955286271000/shared-params.xml b/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231129113125682194000/shared-params.xml
similarity index 86%
rename from src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231121221955286271000/shared-params.xml
rename to src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231129113125682194000/shared-params.xml
index 5f7510f29b..315876cb97 100644
--- a/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231121221955286271000/shared-params.xml
+++ b/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/20231129113125682194000/shared-params.xml
@@ -3,10 +3,10 @@
     <instanceIdentifier>CS</instanceIdentifier>
     <source>
         <address>cs</address>
+        <internalVerificationCert>MIIC2DCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAdMRswGQYDVQQDDBJpbnRlcm5hbFNpZ25pbmdLZXkwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJpbnRlcm5hbFNpZ25pbmdLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdKaVKY+rfzXNrMLPDa3dbSmKbo5Lq2V3y/3AaAT8diQNLyt5/wYpemdiL2A+tPGMz0BvnZfRaHoZ0v3TUSoXLRz6Z5qkS/bUQgFKKV7IcCD+59MsA71DDdmIRQxmWK8exis+UUu0Iz0YyCzQ2rZoZrBAAakQDhq2OI8E6isLnaYMZQJtCgkY69x/pn2dOdv4lg6TTWvnisGFTlHqGeIii7qdjguNpDub5gNSmvGvqdZjKpkvV+EZbdEYpwMIPgnDz41ho5Vcz3/XAOMJ4EHutV+nl582fCFPG9Ov/ABdxP2DtmgX+xVLM9llROz41pF0VUChUm+/emtSW3jZpiqMdAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQCFtX+p5uNDfTsNAhJUwWWWwOzHcYdB5Gn0D2cUw04CwCtbmxT3p8icLQ59qT7DhfK2YdAFFBy2eL64qHrTTUfQfs0TnzSMz+W5LTDPDEowx8dlzOb/fDW7FBzwO88T9r1CORo5V1faVggUpbMOzpDo6arcNdRZRH9yXXFX1jFjzApRGCqUAEiZRW07sBYaqbcHBZjyzSFgsWOp2j2xwm0BcCVKO0ir20hqIi8mQgg5nFTgCGQ3y163gwTWGZFCgJxb9MDhfT+Iw2w2lSuDvD03kgBYfZOQ14MLXmrDP24bXbgk2eXeaBPqooCHT2LakUFy8CLQjkQ8yYnOfW9ypK6x</internalVerificationCert>
         <internalVerificationCert>MIICqTCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAOMQwwCgYDVQQDDANOL0EwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAOMQwwCgYDVQQDDANOL0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnw42v+CwPNmI7j24C0UHsNfhxDKa4rkpgqk4iKnQ5CyzSxveodbduAz+h2lHOHTpInOgtiYd8CUTJU/A9U0JWT8WA4yOWeALxgrRlAmR944bwTDKeGHvJniU7eR9hP0mKdXxPUtZOP0ERe6nqHIWG/f2NAX2Sx6dgWvo9NBnXZ/3lQagaUHk4mztVfk4jN5EzBqkgr3/2oXkX/O/M3hU2OqNoQSlHNbuTEkowkRWkU7UGKbkEuS+ldmbYWvTCeaQsJnjN+KvDyqTFex6UXkr69l7kMDuNlYxrsEfXc+5Yy6SZeglWIgiK+cgra9E7Tf6EJmZQwHkMa00xT+4oAk7/AgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIGQDANBgkqhkiG9w0BAQ0FAAOCAQEAMUN65mWqf8/PyIcqYq6OME0DNAeRn30I7/icLhuumGEHcdYSszeE89AtRi+KEFu1lKj4rAn6Ha+60JP/3bIMtq807r1V6RTw62ZHIQTbB2hXqQTItbWIcnNqUu0RVeqtE0KLkz1K/sy++UpYabkl+sWQm4Q7rtIrGcGoMI997k2hZ1vycfHP/BJ6zv1hBi44al8vwQ+b63xMcJXGLUZUr0cMPBIwwndEUN1noeetb+JEMoBRYgsDcOpXzAdZObLUoT+SEwUs9h9ZH01W0Vvz9X1QaGEwe1+Lm7HJxGOODjC+oPSSbQ2yx+V3OMq31Zji9GeTIw6l5iT+wvykjTiyXA==</internalVerificationCert>
-        <internalVerificationCert>MIIC2DCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAdMRswGQYDVQQDDBJpbnRlcm5hbFNpZ25pbmdLZXkwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJpbnRlcm5hbFNpZ25pbmdLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1j5/OWAjxaKAS5jjmUAe/+f3/h+KhdVMqS5YPQm0DQJq1X1rdkz7BeJ7so6g6mij/NjcbW3i/sqs8KT/Pzw3EEO6gcOYojIrumcmk2q0gbD15sTtieTc7We4N5tgu8Y5RUIlVntriKg0yyaReURDc1j+40YQVsXmnUI9awzRoLudAkfh4t9fblWg+OQ8neu73fpb6XXyPcACFowLbvmJXZcX33rFqguO7t+ulC3oaBwc0IVrmR+VwSDLS9jTzzItz9f3DVFRUM2rdQ1HMTYYZltREn12Wn9OZ7q8LhElnrp8mO/HccBOvqlyKAfLJq86xS+2qH04IIr81Pz/76cJxAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQCIdBxRvLYCd5KwuXxusH6DlXf/+s7cZUwQEJaFnWeUG8tsVWVCcUixi4bJcigIsJSP+UKY27rnGe0XDtT4wUvvtrZPmtxIv6tIecDS8/Sq53+3EcR2Apdaqb9dt332RGHPZSE1NWS84C2YB9RE17sSUv10fkqYmLUZ6TJWfkup1iQfxNtRTbzDya4+ml7xA1WKLeNwNpFREBK7xjUlHexUI/jvs8uUR1tkTy9e8z9Wp3PnxAWuxn7kbSVBuXmemsyffogKFqryIWpEcf1vATyXPT3uaLs/vEbJHaBsKkFUd+OAd8mNoromRx+8xvErfmnxvjfr3t4I2QzFFo3Yoqtx</internalVerificationCert>
+        <externalVerificationCert>MIIC2DCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAdMRswGQYDVQQDDBJleHRlcm5hbFNpZ25pbmdLZXkwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJleHRlcm5hbFNpZ25pbmdLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqvu5l/W8JATPxOIJv2OQggZazws9jcSneTzOsS3yLwRD/00BhVfAW3dtiGkxWwmT60/lG6c4TbE/uKoCjQQKN5BtEoezve+tGA2OgxHz7rNdih4bDVt1Jt+MCHLwVnfwMGr7HRXFP5DzMOoD91kAA1lURBl6i65MvFde4w/h7bLCNe9PEehXtq59q9kpaEGK58bVCCUp4Y/r0xvAadLO4wqFnV6q1faAXvzW9rLMb+VUtBDvEDQUaanJ9pqd1f25DfpdwxJdPZAZB8OlzlyNN+EeCp7Ik73INCX+AIG052X8ORxDtiEcmCG7YcQ3aR5bJJrKgc+K6AeIFcSkTi3C7AgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQCoi8cN7dR2uy+FJG27FVVXpzsEVG1I13ZoFxauS5ZSJ4l/jqB/ptcVxdjZMS9hkZxDRBRkkV6SjL9XfVvIRRYG1t91Mk0krGWICycGs8ObkoD5tF6Zje1+xnHsGFEjs4aqJE2fhbm8ixoMIRKjEWZ4yIdhpSaEDvnB+SpLnhn9WInbicr+fs6lb9RuB+ElDg93ht7eZYBep8MmgKtgfITj6/1Lgqd2l2lr3/jaeba/j0MmB8ljDfU1s3RkfJWxjqfnJFWxdFX7LCIbjrzEtYq+Lk0CLHnmnNkykWGG3xFaK4bc7JLi7Abz4GhktfFRgsxwh5kZxD0Cs9YtMB+mS2MV</externalVerificationCert>
         <externalVerificationCert>MIICqTCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAOMQwwCgYDVQQDDANOL0EwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAOMQwwCgYDVQQDDANOL0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCBUNj9zuGBZYgiQ1q4jxePy7Cpe8bbr37+ySnjkQKl8D0G/6vIrPZPqz2RRk1QaKmV1wkFlcCksyu+0QVPnpmjRY6AlkWRRCciT21jCHpCef9kwjT++NwUAV8gJ+soIqasWUCZpJPEDkCVrB+/jO22Wltdzpqmj3yX2N1zRIG6ddqoOIez5W0c2sty7w1sHnC+adFoBIWsZctNHfLlInKEkStTa78XTrK8EnjR8qzpZVYjh0WxOZvN7oqNZDdUgeG3gB29TLpj2o4H/rTbUlgJT0gBS/AHIxMzRPUbMVaeDNGap6Ofje/8Jc1tbOdL5wjYc9pYbU5pwz/oSGMI6taBAgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIGQDANBgkqhkiG9w0BAQ0FAAOCAQEAUVM+woAREwkKFY1uEZVOSHNy1SlzrEJD3gPm/ui+Y93LvGrCSrwVJVUqd3dkb9IsHD6Jev/SXjEF/phGVVy0WHS8EXJpkLGdV/lRl/TnhZvQ6k7q5amUd43bxIHb3Jpn4z3fpWgX07/op3SOWSBSKVOD4mrhIQQkwJQKTSkjFDXrJEijYcyT+rgUUeOWiNSnbi7nGnBgJlIA5ff1ojmb9kBiFUNS3tHYG0heEkX46rs6Al9gqjZtaiDK6XkZwlkqx769LzxRlnlrULzQpW1SwEyEQdVzZP/kqSsqfyMNmeokO1hk+FtFvoRi3XG1uEYJO+M8oPvo99+Gyu45IQrmig==</externalVerificationCert>
-        <externalVerificationCert>MIIC2DCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADAdMRswGQYDVQQDDBJleHRlcm5hbFNpZ25pbmdLZXkwHhcNNzAwMTAxMDAwMDAwWhcNMzgwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJleHRlcm5hbFNpZ25pbmdLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDMsH4ke1BHZ9suOHQTteJ3Wfq0XVp9McOaZbMRQQMw6RcWlHnoz2dd9s2jLEM2REzxHBnAbcF3imlAqV0XgKE4TbOy4HZVmhDmzlMNmOySxR1oijke6pM9bkQFYd3Ml/0g69Cj5p5urWxRnzfeFCYlMkCNKOem1aiUq8OrjyKbYGn6VxDmzatDUi9UzQJ2ecGhTIfJetozhWuBJv12rXHx4fcMrz2uyLiSeR7BOAzBbQA7XCbGoavuoOZLl6AS0dmubz8ukTcMGMuqJFdq7ClpkajLGztnQFtujcG94DKza7/bX0jcUTPIWaXLPuoPJztV3N/CDXzYFeWG+TkTXMnAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICRDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQCMNLB2zkc5VnVC2bVzKwLo26r0PZ5UH2vdZ16S1STS1g52Akufpq55vaOSCob9+DDSNo6717FtLDIozxEN0BiuOZgqUAvEqbNK7hpK8C/knLKv2y/APug2AyXkeSetROIkGusKjU1gMVhT68XOLDcglpMTFkbkKOhg7UwrmHtkTf89fWOLi2qCeWLEo/KOCAXAayumbtvWlAiULO0DzZ4rPled3wOGS7nPNwn8BzBl+iE053ILxLG9mDi+lFQhuh65EOXK8Ibv0ouix/EPT9dZKqnldPU8e9HeSsGRKrfknUDF43MdOrFL0rkucKPsHAJaRJZyILpROX8DAJS5zbAo</externalVerificationCert>
     </source>
     <approvedCA>
         <name>X-Road Test CA CN</name>
@@ -67,7 +67,7 @@
         <owner>id0</owner>
         <serverCode>SS0</serverCode>
         <address>ss0</address>
-        <authCertHash>5+C5Gr24Dh912x5haKGOyZuK2KI=</authCertHash>
+        <authCertHash>enRxKzBGb0q7sUJa8Hx0A5aHmQwCa1HzWNFrN3ZDDJw=</authCertHash>
         <client>id1</client>
         <client>id7</client>
     </securityServer>
@@ -75,7 +75,7 @@
         <owner>id4</owner>
         <serverCode>SS1</serverCode>
         <address>ss1</address>
-        <authCertHash>5+C5Gr24Dh912x5haKGOyZuK2KI=</authCertHash>
+        <authCertHash>enRxKzBGb0q7sUJa8Hx0A5aHmQwCa1HzWNFrN3ZDDJw=</authCertHash>
         <client>id5</client>
         <client>id6</client>
         <client>id3</client>
diff --git a/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/externalconf b/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/externalconf
index 325acb7306..ddf060232f 100644
--- a/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/externalconf
+++ b/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/externalconf
@@ -1,27 +1,27 @@
-Content-Type: multipart/related; charset=UTF-8; boundary=CVeJGD73TvGUZv9ZZ9i8
+Content-Type: multipart/related; charset=UTF-8; boundary=VExPODxb8lospT8i7pIz
 
---CVeJGD73TvGUZv9ZZ9i8
-Content-Type: multipart/mixed; charset=UTF-8; boundary=vT43AbHTUQ2oSqt6U6cU
+--VExPODxb8lospT8i7pIz
+Content-Type: multipart/mixed; charset=UTF-8; boundary=dUmU6qS4i6QOb0OUYIAy
 
---vT43AbHTUQ2oSqt6U6cU
-Expire-date: 2033-11-21T08:27:35Z
+--dUmU6qS4i6QOb0OUYIAy
+Expire-date: 2033-11-28T21:39:05Z
 Version: 3
 
---vT43AbHTUQ2oSqt6U6cU
+--dUmU6qS4i6QOb0OUYIAy
 Content-type: application/octet-stream
 Content-transfer-encoding: base64
 Content-identifier: SHARED-PARAMETERS; instance='CS'
-Content-location: /V3/20231121221955286271000/shared-params.xml
+Content-location: /V3/20231129113125682194000/shared-params.xml
 Hash-algorithm-id: http://www.w3.org/2001/04/xmlenc#sha512
 
-YXrAZjfQi2QkS0V0hlzs26s7P+Bn5iBuHYPVz0F6wkKAPN90SswEXZOM5+zflfwd3gAr4zObB+k5JY9Jv66eJw==
---vT43AbHTUQ2oSqt6U6cU--
+9+Dr2XnhYsOZxkqSvNOwP6eWHIWOEcVW3tncESSwSQP6wx3iS5Xo93AGCMgBYR0T0NBb0SwswBoGNGzmRKWuyg==
+--dUmU6qS4i6QOb0OUYIAy--
 
---CVeJGD73TvGUZv9ZZ9i8
+--VExPODxb8lospT8i7pIz
 Content-Type: application/octet-stream
 Content-Transfer-Encoding: base64
 Signature-Algorithm-Id: http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
 Verification-certificate-hash: b3o02jG7H3yLmgGCQm4uvRJ8hs8YdAlyBTEct5Bvp6/sTmGNA4SSi9jC7CYt91BjXTkncMtPZ7T966PldCIt5g==; hash-algorithm-id="http://www.w3.org/2001/04/xmlenc#sha512"
 
-I6iDoiJV1jVBxFDOFKQXlNocAclA3I0fn3J7y/EVyP2e0i6cr8VkDm+Ir2+rPpMeKrjC0dTV0LItGDl0GazRDzBnZUodXWtGgtY1W5MEnLcZ+DFRLId4Ck03gBLtJI/mt0ZOO05KN5UwigN/in017YeLF1bvfkOmMTI/VyTWhoOnfTOAapQAxm44FQiRGyFK92eb4Unn23WcE0TerbnriQzALSNO+jWsZTWZtfVUSfTTHGr1DRYpBIVigZF79Fl+GN/h+x8T/ZSKlffxyh+e6tu33w/c3TTWytAgca0Z/h0CwIrfIfoqyJ6/2yVQdYruLZp+o8jJ3mRDESzx4yf+ZQ==
---CVeJGD73TvGUZv9ZZ9i8--
+NSxbNv+P7Jmci4vzN19T+8E/YCHRwivd1nxfRxZF19x7eiHAGs3JmNGCzEcehl6TjVRyo02ioEGa7RjNpmKK8cj04PZseZjktPn0tV2HxKKv1iSShVBeTVuXSJCyx6NTxYTKTVg09s+fnm+gtnTXGP/3iqDA2wpVpmmCmpiD1JG24AP0fCeQOk8HhaN7uNtJmsWzcIzQOJWmtOFoaOjhvmAs/bg17I2ilGLwOQtklpbWkCqul675ljeDcSERIgCYvYfZ/1E7DSu6aNyQJ9UPhqeXtvaxrsFC0R6ZIMD5cuVUbcZ38dBjWizdZEzcZXqSCs0lILfJ8uKUeu+2NBoZfA==
+--VExPODxb8lospT8i7pIz--
diff --git a/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/internalconf b/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/internalconf
index e4422e7174..bdcdac7455 100644
--- a/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/internalconf
+++ b/src/security-server/system-test/src/intTest/resources/nginx-container-files/var/lib/xroad/public/V3/internalconf
@@ -1,35 +1,35 @@
-Content-Type: multipart/related; charset=UTF-8; boundary=Sv3f3hdE8vgnvytgxWUg
+Content-Type: multipart/related; charset=UTF-8; boundary=hrn7OEepS7ichxMkY3LK
 
---Sv3f3hdE8vgnvytgxWUg
-Content-Type: multipart/mixed; charset=UTF-8; boundary=ZMpXdlAPFlPtPIp2KJiv
+--hrn7OEepS7ichxMkY3LK
+Content-Type: multipart/mixed; charset=UTF-8; boundary=zTuPlfMdubhsRlMTSoiD
 
---ZMpXdlAPFlPtPIp2KJiv
-Expire-date: 2033-11-21T08:27:35Z
+--zTuPlfMdubhsRlMTSoiD
+Expire-date: 2033-11-28T21:39:05Z
 Version: 3
 
---ZMpXdlAPFlPtPIp2KJiv
+--zTuPlfMdubhsRlMTSoiD
 Content-type: application/octet-stream
 Content-transfer-encoding: base64
-Content-identifier: PRIVATE-PARAMETERS; instance='CS'
-Content-location: /V3/20231121221955286271000/private-params.xml
+Content-identifier: SHARED-PARAMETERS; instance='CS'
+Content-location: /V3/20231129113125682194000/shared-params.xml
 Hash-algorithm-id: http://www.w3.org/2001/04/xmlenc#sha512
 
-CZdYikpIxQHoYXm0bmBDemWRz9sWlt40a8JjYAe8GQXHXR5wGG0CwmHYqRvO/LbjdtYiRB519ms7ZbvUx1iVSw==
---ZMpXdlAPFlPtPIp2KJiv
+9+Dr2XnhYsOZxkqSvNOwP6eWHIWOEcVW3tncESSwSQP6wx3iS5Xo93AGCMgBYR0T0NBb0SwswBoGNGzmRKWuyg==
+--zTuPlfMdubhsRlMTSoiD
 Content-type: application/octet-stream
 Content-transfer-encoding: base64
-Content-identifier: SHARED-PARAMETERS; instance='CS'
-Content-location: /V3/20231121221955286271000/shared-params.xml
+Content-identifier: PRIVATE-PARAMETERS; instance='CS'
+Content-location: /V3/20231129113125682194000/private-params.xml
 Hash-algorithm-id: http://www.w3.org/2001/04/xmlenc#sha512
 
-YXrAZjfQi2QkS0V0hlzs26s7P+Bn5iBuHYPVz0F6wkKAPN90SswEXZOM5+zflfwd3gAr4zObB+k5JY9Jv66eJw==
---ZMpXdlAPFlPtPIp2KJiv--
+CZdYikpIxQHoYXm0bmBDemWRz9sWlt40a8JjYAe8GQXHXR5wGG0CwmHYqRvO/LbjdtYiRB519ms7ZbvUx1iVSw==
+--zTuPlfMdubhsRlMTSoiD--
 
---Sv3f3hdE8vgnvytgxWUg
+--hrn7OEepS7ichxMkY3LK
 Content-Type: application/octet-stream
 Content-Transfer-Encoding: base64
 Signature-Algorithm-Id: http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
 Verification-certificate-hash: W2F4hzoUhJJPkdFdF8I1xJJMa23M3lenSNP4hs7fFcT+bujRmNopiBSipWVmErejnHpqo0TWVn7LItY7JkKl+w==; hash-algorithm-id="http://www.w3.org/2001/04/xmlenc#sha512"
 
-aEnS5802O4Vfnh0ioj348XBSAh8wWBQZZ0rjuealfceNW9KvQkwCFckt1Lb3gE2DlRpS/RTv+VSgR3WET7nF1MmQd0JdV8cn1Z0OsFVMyC3APvMfJLjk1YHURqJpxIJOujsJhdeMupc1jjbvPsTuasMMvSQGQKaz80UESxfQLavoJ9HS07DE7l4GjhXCiDX1D3RQ+t7LxPQkBVL2gDT6rkYL2aoMqKV5zPj44hh7EwpkF3BtSccTAqkhnB4kpDGnNZIA5HjN4A33ZY3Nx47rDKPMQp081DBanAx7ukpLL07oJThv6HX0vlgobtzKW8onvgAAu21+na2AQ11MtL+R6A==
---Sv3f3hdE8vgnvytgxWUg--
+BIS/Enjl9A2dgqGKnnSqULX6rg3rydK/FJVwPeAfVTX2/ffO2Llj43Q/g8UhMXhVYfjql9JjHkjR14PxugizXbiYPvis7+bO8hrkpn3Zvu3VcisVXc7NR+g8whQM7YJ/LcxsqiiW3tQJe1beHT5SzWeNdPO5/EwEK4cmTlJydeimQFi5EdbtYiHLjfiainXfCaLzXMBs3VnUhe9pXRuSQUjqDOV+/odQMkCESMXy6UpTUTRfynGbYVYB2PRhUYYpSahwz1JC3+njFxmgCdtgnFUSQmupURJItnTpqxmoxpjekuIpKp1Ml41/6xV9q86FcYNuvQHwzLgi2cJJU2/YaA==
+--hrn7OEepS7ichxMkY3LK--
diff --git a/src/signer/src/test/java/ee/ria/xroad/signer/tokenmanager/TokenManagerMergeTest.java b/src/signer/src/test/java/ee/ria/xroad/signer/tokenmanager/TokenManagerMergeTest.java
index db79f7da9b..30bbc26e0f 100644
--- a/src/signer/src/test/java/ee/ria/xroad/signer/tokenmanager/TokenManagerMergeTest.java
+++ b/src/signer/src/test/java/ee/ria/xroad/signer/tokenmanager/TokenManagerMergeTest.java
@@ -198,7 +198,7 @@ public void shouldAddOcspResponse() throws IOException {
         KeyInfo beforeKeyInfo = TokenManager.getKeyInfo(testKeyId);
         assertNotNull("test setup failure", beforeKeyInfo);
 
-        final String testCertId = "e82e0b2b184d4387c2afd83708d4cfeaeb872cf7";
+        final String testCertId = "06700c12f395183c779884fcd49d4ca55fa485aa65617da5b75d84927bec2c91";
         CertificateInfo beforeCertInfo = TokenManager.getCertificateInfo(testCertId);
         assertNotNull("test setup failure", beforeCertInfo);