I have a windows 2008 R2 server that serves as a domain controller and doubles as an Enterprise Root CA. The CA is using CSP and SHA-1. We are working to figure out the details of getting to SHA-256. I know I have to upgrade to get to KSP to allow for SHA-2. There are a couple things that I am hoping for clarification on my plan.
I think my best option for the least amount of disruption would be to setup a Subordinate CA on Windows 2012 R2 Ent. I would originally get a SHA-1 certificate for the subordinate. I would use KSP as the provider and start issuing SHA-256 certificates from the subordinate. I would begin replacing the certificates that have been issued directly from the Root CA (currently all certs are generated from the Root) with certificates from the subordinate. After all certificates have been replaced, I would deploy a new Root CA on Windows 2012 R2 Ent and move the subordinate underneath that new Root CA. I would use GPO to push the subordinate and the new Root CA to my domain machines.
Is this a valid approach? More work than necessary? Suggestions? Thank you!