Solved

PKI and SHA-2

Posted on 2014-04-11
1
1,329 Views
Last Modified: 2014-04-25
our AD runs on 2003 R2 Domain and Forest Functional level. We want to upgrade our PKI to support for SHA-2 certs in near future for internal certificates.
Im not sure,how this works but if we want to use SHA-2,dont we have to upgrade our AD at least up to 2008 R2 Domain and Forest Functional level?
as we want to "get rid" of the SHA-1 certs,what could be a reasonable way to have a smooth
transition? wait until all SHA-1 certs expire or start issuing SHA-2 certs slowly but surely?  we use certs mostly for OWA-and in future for mobile access.
0
Comment
Question by:DukewillNukem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39995555
looks like 2008r2 will be safest to fully support sha2 and do see this summary of the variois client and outlook tips in having mixed server as considerariin in migration. certificate will have to reissue

http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx?pi47623=2

this faq and migration suggestion are also by far the most useful details available though not a step by step. check out the ca chain and notes

http://blogs.technet.com/b/pki/archive/2011/02/08/common-questions-about-sha2-and-windows.aspx

however,  I do see it should not be an easy overnight thing as I believe there is compatibility and interoperability issues...almost when IPV6 came and most legacy apps break when infra move without careful plan.

Microsoft state the end specifically to root CA. best to stay hold for a while as well plan and practices are not widely published and migration over can impact business. good to identify targeted staging environment to change over all root ca trusted cert first prior to client cert..late 2014 and hearing out more will be preferred.

Below even mention CA/Browser Forum has not yet specified SHA-256 in their Baseline Requirements, though Microsoft is driving the industry to the January 2017 date when they will stop trusting all SHA-1 Certificates issued under public roots.

http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx

also good to do note some queries In open sich as

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

4. What about other certificate uses not mentioned here, like document signatures on a PDF or S/Mime signed e-mails. Will Windows still consider SHA1 certifcates valid for those usages afte January 2016/2017?

Answer: SHA1 SMIME and SHA1 document signing may be vulnerable at the same time as code signing and SSL, however they are smaller targets than
code signing and SSL. This SHA1 deprecation policy focuses on SSL and code signing certs, but the policy will apply to all certificates issued under the root hierarchy including S/MIME. We expect all certificate types excluding code signing and time stamping to follow the SSL deprecation schedule.
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question