Solved

question related to SHA-1

Posted on 2016-08-19
2
50 Views
Last Modified: 2016-09-30
We have a two tier PKI hierarchy using Microsoft ADCS. both the standalone Root CA and the Enterprise SUB CA are using SHA-1 as CSP. we have issued certificated to a lot of apps including (Web, Exchange, SCOM, SCCM, client's for mail signing). now we understand that SHA-1 will be deprecated and I want to know

1. what will be the effect on my environment.
2. Am I required to upgrade and what should I updrade. both Root and SUB CA? out root and SUB CA is 2012 R2 with sha-1
3.what happens to the certificates already issued by the CA using SHA-1.
4. How to upgrade

appreciate a detailed reply
0
Comment
Question by:Aamer-
2 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41763130
1. Following the deprecation, Internet Explorer and other web browsers will begin notifying users that the certificate is using an unsecure algorithm. It *should* allow users to continue, but I can't guarantee that. It will also be likely that you can configure IE to ignore the warnings automatically, but again, no guarantees.
2. You won't necessarily be required to upgrade, but given the likelihood that web browsers will pitch a fit with SHA-1 certs, It's a good idea to. You will not need to upgrade your servers, either the Root or Subs, but you will need to regenerate the CA certificate using (preferably) sha256 or better and any Subordinates you have will need to be given new certificates generated by the new root CA.
3. If you don't upgrade, your clients will just start getting certificate warnings after the update that deprecates sha1 is installed. If you do upgrade, those certificates will need to be regenerated with the new CA certs or you will get certificate trust warnings.
4. Answered in 2: Revoke your Root CA certificate and generate a new one using a better algorithm. Then just go down the chain to the certificates themselves, revoke the sub ca and generate a replacement, then revoke any deployed certificates and regenerate those. You don't technically have to revoke the SHA-1 certificates, but a revoked certificate will not allow users to continue viewing the webpage, whereas the SHA-1 security notification will probably just be a bypassable warning.
0
 

Author Comment

by:Aamer-
ID: 41763590
so to tide over the possibility that the users may start getting errors it is better to upgrade.???

now that my root CA is still using a CSP as it was upgraded from 2003 it needs to be changed from CSP to KSP.  and want follows is like rebuilding the whole pki hierarchy. new cert for ROOT. New certs for subca and new certs for apps and .  I am worried what will happen after I upgrade to all certificates what have already been issues and in production.

one of the feedbacks I got is

an issuing CA can have its own certificate signed with SHA1 and be able to issue certificates signed with sha256 as long as it is using a KSP.

existing sha1 certificates will continue to be valid. the 01/10/2017 deprication deadline only applies to third party ca who are membersoof the Microsoft root program.

now I am confused. kindly clarify
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Header of docx file 17 60
finding who created AD 4 45
Powershell - check csv format 4 32
Folder NTFS Permissions 14 71
When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now