Solved

PKI SHA 244 ,256 and Windows 2008 R2

Posted on 2014-01-16
7
1,084 Views
Last Modified: 2014-01-17
Hi All,

Looking for help.
We want to deploy another VPN network for UK region.
We want to issue RClient certificate with SHA 224 hash Alg.
I checked in windows 2008R2 and found it did not have SHA224 hash alg support.
I see Microsoft Security Advisory (2880823) this replace SHA1 and can issue SHA2 Hash Alg support.i am not getting options to download the hotfix.
Can you please help to know whether the current release Win 2008R2 Ent support SHA224 Hash, if not do we need to have any other additional hotfix ? if yes please send me the link if you have already done the same or sugg how to download manually.

Regards,
Skumar
0
Comment
Question by:Skumar_CCSA
  • 4
  • 3
7 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 39787646
Starting with Windows Vista and Server 2008, the Cryptography Next Generation (CNG) Suite B algorithms (including SHA2) are included in the operating system. It is worth noting that even though the algorithms are available, it is up to the individual applications to implement support.

hence for Vista and above (2008 R2 in your case) no hotfix is required

Check below articles
http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
http://mailedge.jimdo.com/2012/02/13/what-are-sha-2-certificates/

You can try with SHA 256 algorithm since SHA 224 is not available with 2008 R2

Mahesh
0
 

Author Comment

by:Skumar_CCSA
ID: 39787648
Hi Mahesh,

I saw this option, but client is specific for SHA 224.

I have Microsoft Security Advisory (2880823), not installed yet and not sure after installing this hotfix it will support 224. Do you aware SHA 224 support Win 2012 server ?

Regards,
Skumar.
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39787727
Its not present in 2012 server either, its have SHA 256

You can check with 3rd party certificate authority such as Entrust, verisign, they might help you with  SHA 224 Algorithm

Also MS is about to phase out SHA1 for security reasons,  basically that article suggests you to upgrade your certs to SHA2, but its not address your specific requirement SHA 224


Mahesh
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Skumar_CCSA
ID: 39787733
Hi Mahesh...
3rd party certificates not required.
We want to deploy own CA.
you have any other which can help what type of Hash algorothm support in windows with comparision tabel.


Regards,Skumar.
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39787777
Check below article for hash algorithms

http://en.wikipedia.org/wiki/SHA-2

Really i don't seen anywhere SHA 224 that can be requested from client and issued from server and geting beyond my skillsets.

Probbaly some cryptographic expert can help you with some kind of code or hack to achieve that

OR

You could raise this question in Technet Blogs for best possible work arounds or can open advisory case with MS to identify root cause and workaround if any

Mahesh
0
 

Author Comment

by:Skumar_CCSA
ID: 39787966
Hi mahesh....
your link helped me to understand more...
i have deployed SHA256...
it works fine...
0
 

Author Closing Comment

by:Skumar_CCSA
ID: 39787967
the shared link is useful...
thanks.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question