Solved

PKI and SHA-2

Posted on 2014-04-11
1
1,247 Views
Last Modified: 2014-04-25
our AD runs on 2003 R2 Domain and Forest Functional level. We want to upgrade our PKI to support for SHA-2 certs in near future for internal certificates.
Im not sure,how this works but if we want to use SHA-2,dont we have to upgrade our AD at least up to 2008 R2 Domain and Forest Functional level?
as we want to "get rid" of the SHA-1 certs,what could be a reasonable way to have a smooth
transition? wait until all SHA-1 certs expire or start issuing SHA-2 certs slowly but surely?  we use certs mostly for OWA-and in future for mobile access.
0
Comment
Question by:DukewillNukem
1 Comment
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39995555
looks like 2008r2 will be safest to fully support sha2 and do see this summary of the variois client and outlook tips in having mixed server as considerariin in migration. certificate will have to reissue

http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx?pi47623=2

this faq and migration suggestion are also by far the most useful details available though not a step by step. check out the ca chain and notes

http://blogs.technet.com/b/pki/archive/2011/02/08/common-questions-about-sha2-and-windows.aspx

however,  I do see it should not be an easy overnight thing as I believe there is compatibility and interoperability issues...almost when IPV6 came and most legacy apps break when infra move without careful plan.

Microsoft state the end specifically to root CA. best to stay hold for a while as well plan and practices are not widely published and migration over can impact business. good to identify targeted staging environment to change over all root ca trusted cert first prior to client cert..late 2014 and hearing out more will be preferred.

Below even mention CA/Browser Forum has not yet specified SHA-256 in their Baseline Requirements, though Microsoft is driving the industry to the January 2017 date when they will stop trusting all SHA-1 Certificates issued under public roots.

http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx

also good to do note some queries In open sich as

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

4. What about other certificate uses not mentioned here, like document signatures on a PDF or S/Mime signed e-mails. Will Windows still consider SHA1 certifcates valid for those usages afte January 2016/2017?

Answer: SHA1 SMIME and SHA1 document signing may be vulnerable at the same time as code signing and SSL, however they are smaller targets than
code signing and SSL. This SHA1 deprecation policy focuses on SSL and code signing certs, but the policy will apply to all certificates issued under the root hierarchy including S/MIME. We expect all certificate types excluding code signing and time stamping to follow the SSL deprecation schedule.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now