Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PKI and SHA-2

Posted on 2014-04-11
1
Medium Priority
?
1,382 Views
Last Modified: 2014-04-25
our AD runs on 2003 R2 Domain and Forest Functional level. We want to upgrade our PKI to support for SHA-2 certs in near future for internal certificates.
Im not sure,how this works but if we want to use SHA-2,dont we have to upgrade our AD at least up to 2008 R2 Domain and Forest Functional level?
as we want to "get rid" of the SHA-1 certs,what could be a reasonable way to have a smooth
transition? wait until all SHA-1 certs expire or start issuing SHA-2 certs slowly but surely?  we use certs mostly for OWA-and in future for mobile access.
0
Comment
Question by:DukewillNukem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39995555
looks like 2008r2 will be safest to fully support sha2 and do see this summary of the variois client and outlook tips in having mixed server as considerariin in migration. certificate will have to reissue

http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx?pi47623=2

this faq and migration suggestion are also by far the most useful details available though not a step by step. check out the ca chain and notes

http://blogs.technet.com/b/pki/archive/2011/02/08/common-questions-about-sha2-and-windows.aspx

however,  I do see it should not be an easy overnight thing as I believe there is compatibility and interoperability issues...almost when IPV6 came and most legacy apps break when infra move without careful plan.

Microsoft state the end specifically to root CA. best to stay hold for a while as well plan and practices are not widely published and migration over can impact business. good to identify targeted staging environment to change over all root ca trusted cert first prior to client cert..late 2014 and hearing out more will be preferred.

Below even mention CA/Browser Forum has not yet specified SHA-256 in their Baseline Requirements, though Microsoft is driving the industry to the January 2017 date when they will stop trusting all SHA-1 Certificates issued under public roots.

http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx

also good to do note some queries In open sich as

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

4. What about other certificate uses not mentioned here, like document signatures on a PDF or S/Mime signed e-mails. Will Windows still consider SHA1 certifcates valid for those usages afte January 2016/2017?

Answer: SHA1 SMIME and SHA1 document signing may be vulnerable at the same time as code signing and SSL, however they are smaller targets than
code signing and SSL. This SHA1 deprecation policy focuses on SSL and code signing certs, but the policy will apply to all certificates issued under the root hierarchy including S/MIME. We expect all certificate types excluding code signing and time stamping to follow the SSL deprecation schedule.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question