Windows Root Certification Program = Deprecation of SHA1

credog
credog used Ask the Experts™
on
This is a followup to a comment made in another question I have (Windows 7 Self Signed Certificate for RDP).  

I am trying to get a handle on the SHA1 deprecation that is coming from Microsoft that will eventually impact ssl certs signed with sha1 from the CA.  Certs that are used for RDP or certs that are issued from DOD that we have for smart cards.  In these articles and many other it states something to the effect:  

Microsoft announced our stance on SHA-1 in multiple blog articles, including

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx This link is external to TechNet Wiki. It will open in a new window. ,
http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2880823-recommendation-to-discontinue-use-of-sha-1.aspx This link is external to TechNet Wiki. It will open in a new window. , and
https://technet.microsoft.com/en-us/library/security/2880823.aspx This link is external to TechNet Wiki. It will open in a new window.  

In summary, as of now (May 2015), Microsoft's SHA-1 deprecation only impacts SSL and code-signing certs issued by CAs in the Windows Root Certification Program. Any CA not in that program will be treated as a private/enterprise CA and Microsoft's current (as of 5/15/2015) SHA-1 deprecation policies does not apply. Microsoft's treatment of SHA-1 and its further deprecation will be discussed more at the appropriate future time.

I am trying to understand how that applies and how to determine if any of the certs were issued by a by CAs in the Windows Root Certification Program.  We have an enterprise CA that we can use with templates that issues Certs for things like RDP.  

I don't control the root CA for the enterprise, so I would like to see if that CA is part of the program. Also, as mentioned before, what about certs issued by third parties like DOD, or others.  How can I figure out if the Certs we have will be impacted?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dave HoweSoftware and Hardware Engineer
Commented:
Root CA for the enterprise is, by definition, an enterprise root (the Windows Roots are the ones you see as trusted roots in the certificate snapin, and which are updated by MS from time to time via windows update; your enterprise root is private to you, not distributed externally by Microsoft)

The DoD issuing CAs chain back to the US Government Foreign Policy root, which IS part of the MS Windows Rootset, but should be fine; the DoD has been issuing using SHA256 for a number of years now, so any certs you have from them should already be at least that.

Note however that the major browsers are becoming increasingly restrictive about outdated hash methods, and some (such as Firefox) don't use the Windows roots
btanExec Consultant
Distinguished Expert 2018

Commented:
SHA 1 is consider as transitional and most have to plan to shift to SHA 2 family including those certificate with SHA2. The root CA can still be SHA1 while the issued cert from that root CA is at SHA2. The consideration is more on the actual issued cert since it is used as the key RDP or SSL cert for secure channel. Ideally we will want all the cert to be SHA 1 based but legacy root CA may not support it overnight and may need overhaul.

For DoD PKI, you can find out more details in https://militarycac.com/dodcerts.htm. Overall, it has multiple tier as compared to two simple tier. Its infrastructure comprised of two Root CA and a number of Intermediate CA. All of the DoD root certificates should be installed on user computer, otherwise it is not guarantee that all its DoD applications can work and can be prompted as untrusted to all its downstream issued DoD PKI certificates. DoD also faced this SHA2 migration challenges too but they has targeted by end 2013 to have only SHA2 supported with SHA1 deprecated - see their 2011 public sharing of such efforts (see timeline in slide 8-10)
This will be Hard – Large complex DoD Network of Networks with SHA-1 implementations
(workstations, applications, web services, etc…)

 Federal partners began issuing PKI certs with SHA-256 crypto algorithms and stopped issuing SHA-1 on 1 Jan 2011
 Will impact systems & applications using PKI
 Most current DoD systems & applications will not be able to process the new algorithm without software upgrades

Most widely deployed CAC middleware currently does not support SHA-256 for MS OS/applications
• Middleware does not implement MS mini drivers
• Mini drivers must be used within MS cryptography architecture to access SHA-256 algorithms

Major actions & milestones:
o Upgrade affected Systems and Applications NLT 31 DEC 2012
• Domain Controllers, AuthN servers, Web servers, Email servers
• Workstations, CAC middleware, Email clients
• Digital Signing and Certificate Validation software
o Upgrade PKI and RAPIDS Infrastructure by 31 DEC 2012
o Start issuing DoD certs w/SHA-256 NLT 01 JAN 2013
o Stop issuing DoD certs w/SHA-1 NLT 31 DEC 2012
http://www.acq.osd.mil/dpap/ops/docs/Public%20Briefing%20-%20DoD%20SHA-256%20Migration%2018%20Mar%202011.pdf
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Author

Commented:
Thank you for the responses.  Still trying to understand this.  

It doesn't appear that I can  assume that CAs listed in the certmgr under "Trusted Root Certification Authorities" --> Certificates are part of the Windows Root Certification Program and would be subject to this policy?  It would seem like I can't since I see our Enterprise CA listed in there.  It was mentioned that cert is private and would not be a part of this.

Still confused on how to determine what CAs are and are not part of the  Windows Root Certification Program.  

Mr. Howe: You mentioned that the DOD roots are part of the program, but they are not listed in the pdf link that Mr. Johnson provided.  Just confused on how this will impact us.
btanExec Consultant
Distinguished Expert 2018

Commented:
in fact to go with Windows CA program so as to have their CA cert recognized, there are audit requirement to pass. This is likely to give us clue on program applicability and it is an regime to maintain regular audit passes too..
All CAs in the Program must comply with the Program Technical Requirements. If Microsoft determines that a CA is not in compliance with the below requirements, Microsoft may exclude the CA from the Program.
https://technet.microsoft.com/en-us/library/cc751157.aspx
http://social.technet.microsoft.com/wiki/contents/articles/31635.microsoft-trusted-root-certificate-program-audit-requirements.aspx

And also more on the SHA 1
Will the policies apply to certificates that do not chain to a certificate issued by a CA in the Microsoft Root Certificate Program?
>  No, the policies will only apply to certificates issued by CAs in the Program.

Will there be any policy active on a client Windows machine for TLS certificates in January, 2016?
 >  No – policy on a client Windows machine targeting TLS certificates will not be applied until January 2017

Will the policy impact certificates that chain up to an internal root that is not part of the Microsoft Trusted Root Program?
>  No. Only certificates that are in the Microsoft Trusted Root Program will be affected by the policies described here.
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx#Will_the_policies_apply_to_certificates_that_do_not_chain_to_a_certificate_issued_by_a_CA_in_the_Microsoft_Root_Certificate_Program

The list of Certification Authorities (CAs) who are members of the Windows Root Certificate Program as of September 2014 is available as below. So minimally this serves to let us know if the CA is already in the program
http://social.technet.microsoft.com/wiki/contents/articles/14215.windows-and-windows-phone-8-ssl-root-certificate-program-member-cas.aspx
Dave HoweSoftware and Hardware Engineer

Commented:
Odd. my older machines (XP) still have it, but my win7-win10 don't seem to - In addition, the link btan posted includes a "cross cert removal tool" - running this on my older machines breaks the link to the USG cert by removing the intermediate DoD issuing ca from the keystore - so I think they have moved from using the USG root to having their own standalone roots now.
btanExec Consultant
Distinguished Expert 2018

Commented:
I also see the DoD Root CA not under the Windows program otherwise the update or list of CA will already have included those certificate. They have advised user to use installroot toolkit to install the DoD Root CA and intermediate CA - see their latest toolkit user guide in pg 8 and 9 on the snapshot of one Root CA an instance
Select the Certification Path tab to verify the certification path. The certification path should read “DoD Root CA 2 > DoD CA-27 > CS.DoD PKE Engineering.DoDPKE60003.” If the digital signature is not OK, do not proceed with installation as the version of the tool you have may not be authentic.
- http://iase.disa.mil/pki-pke/Documents/InstallRoot%204_1%20NIPRNET_User_Guide_02132015.pdf

Overall DoD guidance on their cert in https://militarycac.com/dodcerts.htm

Author

Commented:
Thanks again.  I have this link that appears to be up to date and it does list  the Government of the United States of America, Federal PKI as being a member of the Microsoft Root Program, which I assume would include DOD.  Would you guys agree?

http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx
Exec Consultant
Distinguished Expert 2018
Commented:
Yes, I saw one in your link and actual there is remaining two which are not expired yet see this iink
http://social.technet.microsoft.com/wiki/contents/articles/2592.windows-root-certificate-program-members-list-all-cas.aspx

The best is check out the CA cert thumbprint of the Government of the United States of America, Federal PKI e.g. in 2011 the CA is as of below

Government of the United States of America, Federal PKI
USA      Common Policy      2048      SHA1      ‎10/15/2027      
cb 44 a0 97 85 7c 45 fa 18 7e d9 52 08 6c b9 84 1f 2d 51 b5

Government of the United States of America, Federal PKI
USA      Federal Common Policy CA      2048      SHA256      
‎Sunday, ‎December ‎01, ‎2030 8:45:27 AM      ‎
90 5f 94 2f d9 f2 8f 67 9b 37 81 80 fd 4f 84 63 47 f6 45 c1

But if they are in the Program, these Root certificates should have them since the member of the Program are distributed via the Windows Root Certificate Program.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial