Experts Exchange connects you with the people and services you need so you can get back to work.
Keep in mind the process which Windows uses to build certificate chains. A very nice write-up of the process was posted previously to this blog. That being said, it is strongly recommended that clients not have to rely on AIA paths to build certificate chains. Rather, the new PKI’s hierarchy should be deployed in advance using Group Policy or “certutil -dspublish”. By placing the CA certificates locally on the clients, the administrator can both influence the path clients choose when they encounter cross certification and will ensure that outages of AIA path servers don’t affect a client’s ability to build a chain.
On a similar note, ensure that any new CAs that are issuing end entity certificates are listed in the NTAuthCertificates object. The process to add them is detailed here and here.
Some applications do not support SHA2. Before using SHA2 signed certificates with a specific application, it is recommended that all PKI dependent components of that application be tested. For example, if SHA2 will be used for S/MIME; then every email client, email server, relay, spam filter, security device, etc belonging to both one’s own organization and those of external organizations (which exchange S/MIME messages with one’s organization) would need to be validated that they can process S/MIME with SHA2. For this reason, both old and new PKI hierarchy may need to operate while applications are upgraded/migrated.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Please enter a first name
Please enter a last name
Must be at least 4 characters long.
Join and Comment
Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.