Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

certificate services

Posted on 2016-08-15
7
Medium Priority
?
53 Views
Last Modified: 2016-09-30
I have a standalone root CA configured with a 408 bit key and sha1 as the csp. I want to install a enterprise subordinate CA with 2048 bit key and with sha 256 as csp. is there a problem with this configuration.
0
Comment
Question by:Aamer-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 41757018
Not a problem.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 41757156
Nope. Stand alone CAs are just that. Stand alone. It won't interact with the Enterprise CA in any way whatsoever. One thing you'll need to be aware of, though, is that requesting certificates will default to using the Enterprise CA, so you will need to make sure you are choosing to develop a CSR without the enrollment policy if you want the Stand-alone CA to issue the certificate.
0
 

Author Comment

by:Aamer-
ID: 41758377
I already have a standalone root CA and two enterprise subordinate CA using SHA1. Now I am installing a new CA and came across articles that SHA-1 will be deprecated from 1st jan 2017. browsers will not honor any certificate with SHA-1 from 2017. we are using private certificate authorities and have issued certificated to many servers and clients. read a lot of articles that sugges to upgrade both the root ca and subordinate ca. please sugges.
is it required that I u[grade the complete hierarchy to SHA-1. how do I go about this.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 83

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 41758846
since you have a root CA and several issuing CA's, it is not required to upgrade your root ca to SHA256 or SHA-2.  Web Browsers will not use SHA-1 certificates in the future.. SO only the CA that issues the certificate to your WEB/Exhange servers require a change to SHA2 or higher. Each CA has their own policies (capolicy.inf) . The very first thing you must do on the server that you are going to implement a CA is to create a capolicy.inf that goes in the c:\windows folder.  Each CA has their own CDP,CRL's and AIA's.

As long as the chain is not broken then you are fine.
http://www.derekseaman.com/2014/01/windows-server-2012-r2-two-tier-pki-ca-pt-1.html
0
 

Author Comment

by:Aamer-
ID: 41759543
Thanks a lot for your reply. So in my case, on all the subordinate CA's, I change the CSP to SHA-2 and I believe I have to reissue certificates all my web servers and exchange servers. on the servers which are already installed is it enough if I just change the CSP to SHA-2 and reissue certificates. appreciate if you can slightly simplify this for me.
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 41759667
That is correct you have to reissue and reinstall the certificates.
0
 

Author Comment

by:Aamer-
ID: 41760038
Just to reconfirm, please correct me if I am wrong

1. Nothing to be done on the standalone Root CA
2. on the existing Enterprise Subordinate CA's change CSP from SHA-1 to SHA2 (using GUI)
3 reissue certificates for web/exchange servers.
4. install the new CA with SHA2  irrespective of the configuration of the root CA.
5. please let me know if this is a safe procedure as a lot of certificates have been issued already   and      if   I change will the already issued certificates have any issues.
6. if you have a document that can help me with this change I will be grateful as I have to do this task in a couple of days in production.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question