compdigit44
asked on
Windows 2012 R2 CA Migrating to SHA256
Our internal Security team scan have shown that all of our issued internal certificates are still using SHA1. I know this now deprecated and SHA2 / 256 is preferred and have been holding off since I do not want to break anything in my environment. CA in our environment are using for the following.
-SCCM 2012 R2 for workstation communications
-Web Servers
-DC's that host the NPS servers what are for our wireless devices and requires a device have a cert before I can connect to the network.
- EFS
I know MS has published a article on how to migration to SHA2 / 256 https://blogs.technet.microsoft.com/askds/2015/04/01/migrating-your-certification-authority-hashing-algorithm-from-sha1-to-sha2/ but have the following questions.
1) Since I am using 2012 R2, are their any native Powershell commands that list what certs are issue per template or do not need to download the PKI Powershell plugin from the Script gallery? I want to inventory my environment first and not jump into anything.
2) One of the biggest problems security has detected is old expired certs on workstations / servers. How to others clean up expired certs on workstations?
3) I know moving to SHA-256 is important external certs but how many have moved to SHA-256 for internal? I know the important of doing this but worked about breaking any application in the process.
If I did do this I would need to do the Root first, and reissue root CA's correct?
-SCCM 2012 R2 for workstation communications
-Web Servers
-DC's that host the NPS servers what are for our wireless devices and requires a device have a cert before I can connect to the network.
- EFS
I know MS has published a article on how to migration to SHA2 / 256 https://blogs.technet.microsoft.com/askds/2015/04/01/migrating-your-certification-authority-hashing-algorithm-from-sha1-to-sha2/ but have the following questions.
1) Since I am using 2012 R2, are their any native Powershell commands that list what certs are issue per template or do not need to download the PKI Powershell plugin from the Script gallery? I want to inventory my environment first and not jump into anything.
2) One of the biggest problems security has detected is old expired certs on workstations / servers. How to others clean up expired certs on workstations?
3) I know moving to SHA-256 is important external certs but how many have moved to SHA-256 for internal? I know the important of doing this but worked about breaking any application in the process.
If I did do this I would need to do the Root first, and reissue root CA's correct?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I do have a tired setup a offline root, sub ca and even a separate CRL server. It is possible to move to sha256 but still have the option to issue a cert using sha1? I do have a hand full of xp and 2003 servers still around.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As David says - stay with SHA1 until XP and 2003 are removed, which should be sooner rather than later
ASKER
Thanks everyone, is there a list out there that show which certificate hash types each OS version supports?
On a side note, Version 1 templates to not support auto enroll correct? If so I am trying to figure out how all of my workstation got the default computer cert installed at some point
On a side note, Version 1 templates to not support auto enroll correct? If so I am trying to figure out how all of my workstation got the default computer cert installed at some point
ASKER
Thank you everyone for the great feedback. One more question question, for those who have already done this process do you know of any good scripts to list all devices issues per certificate template type and export the results to a file?
2) Generally speaking, expired certs aren't considered a security issue. They are expired after all.
3) Yes, I've done it. Yes, you have to be cautious. Your old and new root certificates will live side by side for a time. But it isn't overly risky or painful with due diligence.