I have an internal root CA server that runs on Windows 2003, standalone, not connected to the network to issue SHA-1 certificates. Is it possible for me to have another internal root CA server running on Windows 2012 R2, standalone, not connected to the network to issue SHA-2 certificates?
This is so I can generate SHA-1 for legacy applications using existing CA and generate SHA-2 using new CA for the application those are currently using SHA-1 but can support SHA-2.
What is the best practice for achieve this? Will both root CA servers run on different names or same name. Can someone please advise me the step by step to achieve this? I want to migrate to SHA-2 but at the same time I don't want to affect my existing root CA.
Also, How will I renew the certificates of the existing applications using the new Windows 2012 R2 CA so they can use SHA-2?
You will need to push out your new CA as a root CA for new renewals.
Once you have that pushed you can generate a new CSR to register for a new Cert.
What type of applications are you using this for? If the only machine that has the cert is the server I am not seeing any issues.
I would like to have a little more insight on the project.