certificate services

Posted on 2016-08-15
Last Modified: 2016-09-30
I have a standalone root CA configured with a 408 bit key and sha1 as the csp. I want to install a enterprise subordinate CA with 2048 bit key and with sha 256 as csp. is there a problem with this configuration.
Question by:Aamer-
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 41757018
Not a problem.
LVL 41

Expert Comment

by:Adam Brown
ID: 41757156
Nope. Stand alone CAs are just that. Stand alone. It won't interact with the Enterprise CA in any way whatsoever. One thing you'll need to be aware of, though, is that requesting certificates will default to using the Enterprise CA, so you will need to make sure you are choosing to develop a CSR without the enrollment policy if you want the Stand-alone CA to issue the certificate.

Author Comment

ID: 41758377
I already have a standalone root CA and two enterprise subordinate CA using SHA1. Now I am installing a new CA and came across articles that SHA-1 will be deprecated from 1st jan 2017. browsers will not honor any certificate with SHA-1 from 2017. we are using private certificate authorities and have issued certificated to many servers and clients. read a lot of articles that sugges to upgrade both the root ca and subordinate ca. please sugges.
is it required that I u[grade the complete hierarchy to SHA-1. how do I go about this.
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

LVL 82

Accepted Solution

David Johnson, CD, MVP earned 500 total points
ID: 41758846
since you have a root CA and several issuing CA's, it is not required to upgrade your root ca to SHA256 or SHA-2.  Web Browsers will not use SHA-1 certificates in the future.. SO only the CA that issues the certificate to your WEB/Exhange servers require a change to SHA2 or higher. Each CA has their own policies (capolicy.inf) . The very first thing you must do on the server that you are going to implement a CA is to create a capolicy.inf that goes in the c:\windows folder.  Each CA has their own CDP,CRL's and AIA's.

As long as the chain is not broken then you are fine.

Author Comment

ID: 41759543
Thanks a lot for your reply. So in my case, on all the subordinate CA's, I change the CSP to SHA-2 and I believe I have to reissue certificates all my web servers and exchange servers. on the servers which are already installed is it enough if I just change the CSP to SHA-2 and reissue certificates. appreciate if you can slightly simplify this for me.
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 41759667
That is correct you have to reissue and reinstall the certificates.

Author Comment

ID: 41760038
Just to reconfirm, please correct me if I am wrong

1. Nothing to be done on the standalone Root CA
2. on the existing Enterprise Subordinate CA's change CSP from SHA-1 to SHA2 (using GUI)
3 reissue certificates for web/exchange servers.
4. install the new CA with SHA2  irrespective of the configuration of the root CA.
5. please let me know if this is a safe procedure as a lot of certificates have been issued already   and      if   I change will the already issued certificates have any issues.
6. if you have a document that can help me with this change I will be grateful as I have to do this task in a couple of days in production.

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question