Solved

PKI and SHA-2

Posted on 2014-04-11
1
1,269 Views
Last Modified: 2014-04-25
our AD runs on 2003 R2 Domain and Forest Functional level. We want to upgrade our PKI to support for SHA-2 certs in near future for internal certificates.
Im not sure,how this works but if we want to use SHA-2,dont we have to upgrade our AD at least up to 2008 R2 Domain and Forest Functional level?
as we want to "get rid" of the SHA-1 certs,what could be a reasonable way to have a smooth
transition? wait until all SHA-1 certs expire or start issuing SHA-2 certs slowly but surely?  we use certs mostly for OWA-and in future for mobile access.
0
Comment
Question by:DukewillNukem
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39995555
looks like 2008r2 will be safest to fully support sha2 and do see this summary of the variois client and outlook tips in having mixed server as considerariin in migration. certificate will have to reissue

http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx?pi47623=2

this faq and migration suggestion are also by far the most useful details available though not a step by step. check out the ca chain and notes

http://blogs.technet.com/b/pki/archive/2011/02/08/common-questions-about-sha2-and-windows.aspx

however,  I do see it should not be an easy overnight thing as I believe there is compatibility and interoperability issues...almost when IPV6 came and most legacy apps break when infra move without careful plan.

Microsoft state the end specifically to root CA. best to stay hold for a while as well plan and practices are not widely published and migration over can impact business. good to identify targeted staging environment to change over all root ca trusted cert first prior to client cert..late 2014 and hearing out more will be preferred.

Below even mention CA/Browser Forum has not yet specified SHA-256 in their Baseline Requirements, though Microsoft is driving the industry to the January 2017 date when they will stop trusting all SHA-1 Certificates issued under public roots.

http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspx

also good to do note some queries In open sich as

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

4. What about other certificate uses not mentioned here, like document signatures on a PDF or S/Mime signed e-mails. Will Windows still consider SHA1 certifcates valid for those usages afte January 2016/2017?

Answer: SHA1 SMIME and SHA1 document signing may be vulnerable at the same time as code signing and SSL, however they are smaller targets than
code signing and SSL. This SHA1 deprecation policy focuses on SSL and code signing certs, but the policy will apply to all certificates issued under the root hierarchy including S/MIME. We expect all certificate types excluding code signing and time stamping to follow the SSL deprecation schedule.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Suppress Outlook security alert about name mismatch on ssl certificate 20 143
Firewall Philosophy and Risks 8 127
Error viewing ASP page 12 151
How to batch remove spreadsheet password 19 150
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now