Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

certificate services

Posted on 2016-08-15
7
Medium Priority
?
56 Views
Last Modified: 2016-09-30
I have a standalone root CA configured with a 408 bit key and sha1 as the csp. I want to install a enterprise subordinate CA with 2048 bit key and with sha 256 as csp. is there a problem with this configuration.
0
Comment
Question by:Aamer-
  • 3
  • 3
7 Comments
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 41757018
Not a problem.
0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 41757156
Nope. Stand alone CAs are just that. Stand alone. It won't interact with the Enterprise CA in any way whatsoever. One thing you'll need to be aware of, though, is that requesting certificates will default to using the Enterprise CA, so you will need to make sure you are choosing to develop a CSR without the enrollment policy if you want the Stand-alone CA to issue the certificate.
0
 

Author Comment

by:Aamer-
ID: 41758377
I already have a standalone root CA and two enterprise subordinate CA using SHA1. Now I am installing a new CA and came across articles that SHA-1 will be deprecated from 1st jan 2017. browsers will not honor any certificate with SHA-1 from 2017. we are using private certificate authorities and have issued certificated to many servers and clients. read a lot of articles that sugges to upgrade both the root ca and subordinate ca. please sugges.
is it required that I u[grade the complete hierarchy to SHA-1. how do I go about this.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 84

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 41758846
since you have a root CA and several issuing CA's, it is not required to upgrade your root ca to SHA256 or SHA-2.  Web Browsers will not use SHA-1 certificates in the future.. SO only the CA that issues the certificate to your WEB/Exhange servers require a change to SHA2 or higher. Each CA has their own policies (capolicy.inf) . The very first thing you must do on the server that you are going to implement a CA is to create a capolicy.inf that goes in the c:\windows folder.  Each CA has their own CDP,CRL's and AIA's.

As long as the chain is not broken then you are fine.
http://www.derekseaman.com/2014/01/windows-server-2012-r2-two-tier-pki-ca-pt-1.html
0
 

Author Comment

by:Aamer-
ID: 41759543
Thanks a lot for your reply. So in my case, on all the subordinate CA's, I change the CSP to SHA-2 and I believe I have to reissue certificates all my web servers and exchange servers. on the servers which are already installed is it enough if I just change the CSP to SHA-2 and reissue certificates. appreciate if you can slightly simplify this for me.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 41759667
That is correct you have to reissue and reinstall the certificates.
0
 

Author Comment

by:Aamer-
ID: 41760038
Just to reconfirm, please correct me if I am wrong

1. Nothing to be done on the standalone Root CA
2. on the existing Enterprise Subordinate CA's change CSP from SHA-1 to SHA2 (using GUI)
3 reissue certificates for web/exchange servers.
4. install the new CA with SHA2  irrespective of the configuration of the root CA.
5. please let me know if this is a safe procedure as a lot of certificates have been issued already   and      if   I change will the already issued certificates have any issues.
6. if you have a document that can help me with this change I will be grateful as I have to do this task in a couple of days in production.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question