Solved

PKI and SHA-2

Posted on 2014-04-11
1
1,320 Views
Last Modified: 2014-04-25
our AD runs on 2003 R2 Domain and Forest Functional level. We want to upgrade our PKI to support for SHA-2 certs in near future for internal certificates.
Im not sure,how this works but if we want to use SHA-2,dont we have to upgrade our AD at least up to 2008 R2 Domain and Forest Functional level?
as we want to "get rid" of the SHA-1 certs,what could be a reasonable way to have a smooth
transition? wait until all SHA-1 certs expire or start issuing SHA-2 certs slowly but surely?  we use certs mostly for OWA-and in future for mobile access.
0
Comment
Question by:DukewillNukem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39995555
looks like 2008r2 will be safest to fully support sha2 and do see this summary of the variois client and outlook tips in having mixed server as considerariin in migration. certificate will have to reissue

http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx?pi47623=2

this faq and migration suggestion are also by far the most useful details available though not a step by step. check out the ca chain and notes

http://blogs.technet.com/b/pki/archive/2011/02/08/common-questions-about-sha2-and-windows.aspx

however,  I do see it should not be an easy overnight thing as I believe there is compatibility and interoperability issues...almost when IPV6 came and most legacy apps break when infra move without careful plan.

Microsoft state the end specifically to root CA. best to stay hold for a while as well plan and practices are not widely published and migration over can impact business. good to identify targeted staging environment to change over all root ca trusted cert first prior to client cert..late 2014 and hearing out more will be preferred.

Below even mention CA/Browser Forum has not yet specified SHA-256 in their Baseline Requirements, though Microsoft is driving the industry to the January 2017 date when they will stop trusting all SHA-1 Certificates issued under public roots.

http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx

also good to do note some queries In open sich as

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

4. What about other certificate uses not mentioned here, like document signatures on a PDF or S/Mime signed e-mails. Will Windows still consider SHA1 certifcates valid for those usages afte January 2016/2017?

Answer: SHA1 SMIME and SHA1 document signing may be vulnerable at the same time as code signing and SSL, however they are smaller targets than
code signing and SSL. This SHA1 deprecation policy focuses on SSL and code signing certs, but the policy will apply to all certificates issued under the root hierarchy including S/MIME. We expect all certificate types excluding code signing and time stamping to follow the SSL deprecation schedule.
0

Featured Post

Create Professional Looking Email Signatures

Create "Professional HTML Email Signatures" with ease.
7 Day Money Back Guarantee if not 100% Satisfied.
Affordable - Try it out for 7 Days Totally Risk Free.
Installers provided for over 45 Email clients.
Both Windows & MAC Supported.
Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
certificate error on website only in internal network 24 103
Rogue RDP Connections 5 107
What's API gateway/firewall & how it's used 10 81
Dell SonicWall Connection 18 57
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
A hard and fast method for reducing Active Directory Administrators members.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question