?
Solved

question related to SHA-1

Posted on 2016-08-19
2
Medium Priority
?
100 Views
Last Modified: 2016-09-30
We have a two tier PKI hierarchy using Microsoft ADCS. both the standalone Root CA and the Enterprise SUB CA are using SHA-1 as CSP. we have issued certificated to a lot of apps including (Web, Exchange, SCOM, SCCM, client's for mail signing). now we understand that SHA-1 will be deprecated and I want to know

1. what will be the effect on my environment.
2. Am I required to upgrade and what should I updrade. both Root and SUB CA? out root and SUB CA is 2012 R2 with sha-1
3.what happens to the certificates already issued by the CA using SHA-1.
4. How to upgrade

appreciate a detailed reply
0
Comment
Question by:Aamer-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41763130
1. Following the deprecation, Internet Explorer and other web browsers will begin notifying users that the certificate is using an unsecure algorithm. It *should* allow users to continue, but I can't guarantee that. It will also be likely that you can configure IE to ignore the warnings automatically, but again, no guarantees.
2. You won't necessarily be required to upgrade, but given the likelihood that web browsers will pitch a fit with SHA-1 certs, It's a good idea to. You will not need to upgrade your servers, either the Root or Subs, but you will need to regenerate the CA certificate using (preferably) sha256 or better and any Subordinates you have will need to be given new certificates generated by the new root CA.
3. If you don't upgrade, your clients will just start getting certificate warnings after the update that deprecates sha1 is installed. If you do upgrade, those certificates will need to be regenerated with the new CA certs or you will get certificate trust warnings.
4. Answered in 2: Revoke your Root CA certificate and generate a new one using a better algorithm. Then just go down the chain to the certificates themselves, revoke the sub ca and generate a replacement, then revoke any deployed certificates and regenerate those. You don't technically have to revoke the SHA-1 certificates, but a revoked certificate will not allow users to continue viewing the webpage, whereas the SHA-1 security notification will probably just be a bypassable warning.
0
 

Author Comment

by:Aamer-
ID: 41763590
so to tide over the possibility that the users may start getting errors it is better to upgrade.???

now that my root CA is still using a CSP as it was upgraded from 2003 it needs to be changed from CSP to KSP.  and want follows is like rebuilding the whole pki hierarchy. new cert for ROOT. New certs for subca and new certs for apps and .  I am worried what will happen after I upgrade to all certificates what have already been issues and in production.

one of the feedbacks I got is

an issuing CA can have its own certificate signed with SHA1 and be able to issue certificates signed with sha256 as long as it is using a KSP.

existing sha1 certificates will continue to be valid. the 01/10/2017 deprication deadline only applies to third party ca who are membersoof the Microsoft root program.

now I am confused. kindly clarify
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question