Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

question related to SHA-1

Posted on 2016-08-19
2
73 Views
Last Modified: 2016-09-30
We have a two tier PKI hierarchy using Microsoft ADCS. both the standalone Root CA and the Enterprise SUB CA are using SHA-1 as CSP. we have issued certificated to a lot of apps including (Web, Exchange, SCOM, SCCM, client's for mail signing). now we understand that SHA-1 will be deprecated and I want to know

1. what will be the effect on my environment.
2. Am I required to upgrade and what should I updrade. both Root and SUB CA? out root and SUB CA is 2012 R2 with sha-1
3.what happens to the certificates already issued by the CA using SHA-1.
4. How to upgrade

appreciate a detailed reply
0
Comment
Question by:Aamer-
2 Comments
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41763130
1. Following the deprecation, Internet Explorer and other web browsers will begin notifying users that the certificate is using an unsecure algorithm. It *should* allow users to continue, but I can't guarantee that. It will also be likely that you can configure IE to ignore the warnings automatically, but again, no guarantees.
2. You won't necessarily be required to upgrade, but given the likelihood that web browsers will pitch a fit with SHA-1 certs, It's a good idea to. You will not need to upgrade your servers, either the Root or Subs, but you will need to regenerate the CA certificate using (preferably) sha256 or better and any Subordinates you have will need to be given new certificates generated by the new root CA.
3. If you don't upgrade, your clients will just start getting certificate warnings after the update that deprecates sha1 is installed. If you do upgrade, those certificates will need to be regenerated with the new CA certs or you will get certificate trust warnings.
4. Answered in 2: Revoke your Root CA certificate and generate a new one using a better algorithm. Then just go down the chain to the certificates themselves, revoke the sub ca and generate a replacement, then revoke any deployed certificates and regenerate those. You don't technically have to revoke the SHA-1 certificates, but a revoked certificate will not allow users to continue viewing the webpage, whereas the SHA-1 security notification will probably just be a bypassable warning.
0
 

Author Comment

by:Aamer-
ID: 41763590
so to tide over the possibility that the users may start getting errors it is better to upgrade.???

now that my root CA is still using a CSP as it was upgraded from 2003 it needs to be changed from CSP to KSP.  and want follows is like rebuilding the whole pki hierarchy. new cert for ROOT. New certs for subca and new certs for apps and .  I am worried what will happen after I upgrade to all certificates what have already been issues and in production.

one of the feedbacks I got is

an issuing CA can have its own certificate signed with SHA1 and be able to issue certificates signed with sha256 as long as it is using a KSP.

existing sha1 certificates will continue to be valid. the 01/10/2017 deprication deadline only applies to third party ca who are membersoof the Microsoft root program.

now I am confused. kindly clarify
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question