Solved

migration plan for SHA-1 to SHA-2

Posted on 2014-03-26
1
1,031 Views
Last Modified: 2014-03-31
does anyone have migration plan for SHA-1 to SHA-2?
0
Comment
Question by:DukewillNukem
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39957965
there is no need to make big change as of now, but as you mentioned is to plan for it. Have small win meaning do everything in the staging on the changes before getting the system owner permission and schedule to implement the changes. It is best to know the system and get the provider to provide the migration of the application in concern and perform impact analysis. The OS migration will be done in concurrent with your server team advices.

Key is identify all the PKI owner and cert owner as they are major owner and player. y take is target the public facing website and those services using SSL/TLS

E.g. Symantec advices - http://www.symantec.com/page.jsp?id=sha2-transition
E.g. Microsoft advisory - http://technet.microsoft.com/en-us/security/advisory/2880823

Some MS upgrade sharing to note
- http://blogs.technet.com/b/pki/archive/2013/09/19/upgrade-certification-authority-to-sha256.aspx
- http://blogs.technet.com/b/pki/archive/2011/02/08/common-questions-about-sha2-and-windows.aspx

Keep in mind the process which Windows uses to build certificate chains.  A very nice write-up of the process was posted previously to this blog.  That being said, it is strongly recommended that clients not have to rely on AIA paths to build certificate chains.  Rather, the new PKI’s hierarchy should be deployed in advance using Group Policy or “certutil -dspublish”. By placing the CA certificates locally on the clients, the administrator can both influence the path clients choose when they encounter cross certification and will ensure that outages of AIA path servers don’t affect a client’s ability to build a chain.

On a similar note, ensure that any new CAs that are issuing end entity certificates are listed in the NTAuthCertificates object.  The process to add them is detailed here and here.

Some applications do not support SHA2.  Before using SHA2 signed certificates with a specific application, it is recommended that all PKI dependent components of that application be tested.  For example, if SHA2 will be used for S/MIME; then every email client, email server, relay, spam filter, security device, etc belonging to both one’s own organization and those of external organizations (which exchange S/MIME messages with one’s organization) would need to be validated that they can process S/MIME with SHA2. For this reason, both old and new PKI hierarchy may need to operate while applications are upgraded/migrated.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Free USB drive encryption 15 64
Using GNU Privacy Guard in a C# program to Decrypt 2 61
BitLocker Server 2012 R2 23 59
Why Root CA Cert does not have expiration date? 2 37
Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now