certificate services

I have a standalone root CA configured with a 408 bit key and sha1 as the csp. I want to install a enterprise subordinate CA with 2048 bit key and with sha 256 as csp. is there a problem with this configuration.
Who is Participating?
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
since you have a root CA and several issuing CA's, it is not required to upgrade your root ca to SHA256 or SHA-2.  Web Browsers will not use SHA-1 certificates in the future.. SO only the CA that issues the certificate to your WEB/Exhange servers require a change to SHA2 or higher. Each CA has their own policies (capolicy.inf) . The very first thing you must do on the server that you are going to implement a CA is to create a capolicy.inf that goes in the c:\windows folder.  Each CA has their own CDP,CRL's and AIA's.

As long as the chain is not broken then you are fine.
David Johnson, CD, MVPOwnerCommented:
Not a problem.
Adam BrownSr Solutions ArchitectCommented:
Nope. Stand alone CAs are just that. Stand alone. It won't interact with the Enterprise CA in any way whatsoever. One thing you'll need to be aware of, though, is that requesting certificates will default to using the Enterprise CA, so you will need to make sure you are choosing to develop a CSR without the enrollment policy if you want the Stand-alone CA to issue the certificate.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Aamer-Author Commented:
I already have a standalone root CA and two enterprise subordinate CA using SHA1. Now I am installing a new CA and came across articles that SHA-1 will be deprecated from 1st jan 2017. browsers will not honor any certificate with SHA-1 from 2017. we are using private certificate authorities and have issued certificated to many servers and clients. read a lot of articles that sugges to upgrade both the root ca and subordinate ca. please sugges.
is it required that I u[grade the complete hierarchy to SHA-1. how do I go about this.
Aamer-Author Commented:
Thanks a lot for your reply. So in my case, on all the subordinate CA's, I change the CSP to SHA-2 and I believe I have to reissue certificates all my web servers and exchange servers. on the servers which are already installed is it enough if I just change the CSP to SHA-2 and reissue certificates. appreciate if you can slightly simplify this for me.
David Johnson, CD, MVPOwnerCommented:
That is correct you have to reissue and reinstall the certificates.
Aamer-Author Commented:
Just to reconfirm, please correct me if I am wrong

1. Nothing to be done on the standalone Root CA
2. on the existing Enterprise Subordinate CA's change CSP from SHA-1 to SHA2 (using GUI)
3 reissue certificates for web/exchange servers.
4. install the new CA with SHA2  irrespective of the configuration of the root CA.
5. please let me know if this is a safe procedure as a lot of certificates have been issued already   and      if   I change will the already issued certificates have any issues.
6. if you have a document that can help me with this change I will be grateful as I have to do this task in a couple of days in production.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.