certificate services

Posted on 2016-08-15
Last Modified: 2016-09-30
I have a standalone root CA configured with a 408 bit key and sha1 as the csp. I want to install a enterprise subordinate CA with 2048 bit key and with sha 256 as csp. is there a problem with this configuration.
Question by:Aamer-
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 41757018
Not a problem.
LVL 40

Expert Comment

by:Adam Brown
ID: 41757156
Nope. Stand alone CAs are just that. Stand alone. It won't interact with the Enterprise CA in any way whatsoever. One thing you'll need to be aware of, though, is that requesting certificates will default to using the Enterprise CA, so you will need to make sure you are choosing to develop a CSR without the enrollment policy if you want the Stand-alone CA to issue the certificate.

Author Comment

ID: 41758377
I already have a standalone root CA and two enterprise subordinate CA using SHA1. Now I am installing a new CA and came across articles that SHA-1 will be deprecated from 1st jan 2017. browsers will not honor any certificate with SHA-1 from 2017. we are using private certificate authorities and have issued certificated to many servers and clients. read a lot of articles that sugges to upgrade both the root ca and subordinate ca. please sugges.
is it required that I u[grade the complete hierarchy to SHA-1. how do I go about this.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 80

Accepted Solution

David Johnson, CD, MVP earned 500 total points
ID: 41758846
since you have a root CA and several issuing CA's, it is not required to upgrade your root ca to SHA256 or SHA-2.  Web Browsers will not use SHA-1 certificates in the future.. SO only the CA that issues the certificate to your WEB/Exhange servers require a change to SHA2 or higher. Each CA has their own policies (capolicy.inf) . The very first thing you must do on the server that you are going to implement a CA is to create a capolicy.inf that goes in the c:\windows folder.  Each CA has their own CDP,CRL's and AIA's.

As long as the chain is not broken then you are fine.

Author Comment

ID: 41759543
Thanks a lot for your reply. So in my case, on all the subordinate CA's, I change the CSP to SHA-2 and I believe I have to reissue certificates all my web servers and exchange servers. on the servers which are already installed is it enough if I just change the CSP to SHA-2 and reissue certificates. appreciate if you can slightly simplify this for me.
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 41759667
That is correct you have to reissue and reinstall the certificates.

Author Comment

ID: 41760038
Just to reconfirm, please correct me if I am wrong

1. Nothing to be done on the standalone Root CA
2. on the existing Enterprise Subordinate CA's change CSP from SHA-1 to SHA2 (using GUI)
3 reissue certificates for web/exchange servers.
4. install the new CA with SHA2  irrespective of the configuration of the root CA.
5. please let me know if this is a safe procedure as a lot of certificates have been issued already   and      if   I change will the already issued certificates have any issues.
6. if you have a document that can help me with this change I will be grateful as I have to do this task in a couple of days in production.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” ( provided 218 attendees with a step-by-step guide for…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question