Active Directory Certificate Services self-signed certificate. Chrome shows as unsupported because of being SHA-1.

Hi guys

I've just had to use the Active Directory Certificate Services to create a self-signed web certificate for our firewall. Our servers are Windows 2008 R2.

I've installed the certificate with a 2048 encryption, but now Google Chrome is having a hissy fit because it says that it is a SHA-1 and that it is untrusted.

Does the Windows 2008 R2 support SHA-2 at all? Or is this one of those doom day things that I can't do anything about unless i upgrade to Windows 2012R2?

Thanks for helping
Yashy
LVL 1
YashyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LearnctxEngineerCommented:
You need to enable support for internal SHA1 cert chains. This can be done via Chrome GPO settings.

see https://www.chromium.org/administrators/policy-list-3#EnableSha1ForLocalAnchors

There is no real push for internal CA's to move to SHA2, its more of an advisory for the public. Still a good idea if you can. As for upgrading your 2008 R2 CA to SHA2, you certainly can,but you might as well migrate off of 2008 R2 as its approaching end of life anyway.
2
YashyAuthor Commented:
The issue is that there's a lot of talk on central store of the .admx files. So for example, I have this location: \\uk.fc.local\SysVol\uk.fc.local\Policies

But I see a load of policies in there. I don't see a 'PolicyDefinitions' folder which is where everyone keeps saying I have to put these files into? Not making sense.

I appreciate the help.
0
Jeff GloverSr. Systems AdministratorCommented:
OK, not sure what the GPO question has to do with Certificates but.... You will not see a PolicyDefinitions folder there until you make it. By default the folder holding the definitions is c:\windows\PolicyDefinitions. But to use new ADMX files, you need to create a folder called PolicyDefinitions in the Sysvol\<domain>\policies folder. Then copy the existing files and folders from c:\windows\PolicyDefinitions to that folder. this creates a central store so when you add new templates (admx and adml files), they will replicate to all DCs. Any new templates should be added to the central store when you download them.
The specifics are covered here. https://support.microsoft.com/en-us/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra

  Also for your CA, I recommend you add a new Root CA running 2012r2 or 2016. then just remove the Templates from your current CA so it does not issue new ones. You will need to keep the old CA around until the issued certs expire. any new Certs, as long as your new CA is an enterprise root ca will come from it.  Trying to change your old CA to SHA2 seldom works right.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPOwnerCommented:
that is your c:\windows\Policy Definitions folder and you copy the contents of that to “SYSVOL\<your domain>\Policies” folder on the domain controller.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.