sara2000
asked on
Upgrade root .CA from SHA1
I would like to upgrade our root CA from SHA1 to SHA256.
I would appreciate if any help on this
In particular, what would happen the existing issued certificates for computers. Server's and service accounts? Is it not disruptive upgrades?
I would appreciate if any help on this
In particular, what would happen the existing issued certificates for computers. Server's and service accounts? Is it not disruptive upgrades?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So the SHA2 will not be effective until we PCs get new certificate? Is there anyway we can renew the PC's cert after SHA256 instead of waiting for the renewal period?
SHA2 will not be effective until your CA certificate is renewed with SHA256 bit key
Once you renewed CA cert with new algorithm, your clients can get certs with 256 bit key algorithm
However clients will not trigger autoenrollment again before their renewal period starts
U could revoke currently issued certs from CA console so that client will try to renroll new cert - test it 1st
Once you renewed CA cert with new algorithm, your clients can get certs with 256 bit key algorithm
However clients will not trigger autoenrollment again before their renewal period starts
U could revoke currently issued certs from CA console so that client will try to renroll new cert - test it 1st
Please refer to the steps advised in the below articles.
https://support.symantec.com/en_US/article.TECH246255.html
https://itsalwaysmyproblem.com/2017/06/07/upgrading-windows-pki-from-sha1-to-sha2/
Hope that helps.
Thanks,
Abhi...