sara2000
asked on
SHA1 to SHA256
We have a root Ent CA root server with SHA1 and Key Storage provider (KSP) running on Windows 2012 R2. We are planing to move it from SHA1to SHA2. I have couple of questions hope someone shed the light on it.
Right now, We have root cert certificate#0 with SHA1. i guess that we have to renew the root certificate for SHA2 for future clients certificates by issuing Certutil -setreg ca\csp\CNGHashalgorithm SHA256 ,
1. Will this command change certificate#0 to 256 from SHA1 or I have to renew root CA and get certificate#1 ?
2. We have a authentication server with SHA1 cert , will there be any issue if a user's PC get renewed with SHA2 certificate before the authentication server?
Right now, We have root cert certificate#0 with SHA1. i guess that we have to renew the root certificate for SHA2 for future clients certificates by issuing Certutil -setreg ca\csp\CNGHashalgorithm SHA256 ,
1. Will this command change certificate#0 to 256 from SHA1 or I have to renew root CA and get certificate#1 ?
2. We have a authentication server with SHA1 cert , will there be any issue if a user's PC get renewed with SHA2 certificate before the authentication server?
ASKER
Thanks Noci.
I am using Microsoft hands-on-lab. I issued the command below on the cert server.
PS>Certutil -setreg ca\csp\CNGHashalgorithm SHA256 and noticed the Certificate#0 has been changed from SHA1 to SHA256.
Does this mean i do not need to renew the root CA's certificate and future client's certificate will be SHA256?
I am using Microsoft hands-on-lab. I issued the command below on the cert server.
PS>Certutil -setreg ca\csp\CNGHashalgorithm SHA256 and noticed the Certificate#0 has been changed from SHA1 to SHA256.
Does this mean i do not need to renew the root CA's certificate and future client's certificate will be SHA256?
I have no windows systems..., x509 certificates work in a certain way... i have no idea how the Microsoft Cert server works and what is available or not. or how it needs to be configured....
For certificates to be recognized they must be in some way be "trusted". On unix systems that is they must be in the /etc/ssl/certs directory together with a symlink to it of the fingerprint.
In Java they need to be added to the trusted store, i guess Windows also has a trusted store. (on each system that must be able to verify the CA root)... that is all systems that use the current Certificate.
For certificates to be recognized they must be in some way be "trusted". On unix systems that is they must be in the /etc/ssl/certs directory together with a symlink to it of the fingerprint.
In Java they need to be added to the trusted store, i guess Windows also has a trusted store. (on each system that must be able to verify the CA root)... that is all systems that use the current Certificate.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the reply.
I am working on a lab server. I am trying to renew the root CA with the same key pair after I upgraded signature-algorithm but, I do not get the new root certificate, if I renew the certificate with the new key pair then I get a new root certificate. I am not sure why I cannot create a new cert with the same key.
Will there any issue if I create the new root certificate with the new key?
I am working on a lab server. I am trying to renew the root CA with the same key pair after I upgraded signature-algorithm but, I do not get the new root certificate, if I renew the certificate with the new key pair then I get a new root certificate. I am not sure why I cannot create a new cert with the same key.
Will there any issue if I create the new root certificate with the new key?
You cannot upgrade algorithm and renew using same key.
ASKER
I have seen couple of articles and they mentioned either use same key or new key.
Here is the Microsoft article which must have been verified.
https://blogs.technet.microsoft.com/askds/2015/10/26/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy/
"Renewing the CA’s own certificate with a new or existing (same) key would depend on the remaining validity of the certificate. If the certificate is at or nearing 50% of its lifetime, it would be a good idea to renew with a new key. See the following for additional information on CA certificate renewal –"
Also
The link below does either.https://support.symantec.com/en_US/article.TECH246255.html
Here is the Microsoft article which must have been verified.
https://blogs.technet.microsoft.com/askds/2015/10/26/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy/
"Renewing the CA’s own certificate with a new or existing (same) key would depend on the remaining validity of the certificate. If the certificate is at or nearing 50% of its lifetime, it would be a good idea to renew with a new key. See the following for additional information on CA certificate renewal –"
Also
The link below does either.https://support.symantec.com/en_US/article.TECH246255.html
So there you go. You have your existing Certification Authority issuing SHA2 algorithm certificates and CRLS. This does not mean that you will start seeing the SHA256 RSA for signature algorithm or SHA256 for signature hash algorithm on the certification authority’s certificates. For that to happen you would need to do the following:
· Update the configuration on the CA that issued its certificate and then renew with a new key.
· If it is a Root CA then you also need to renew with a new key.
from this blog: https://blogs.technet.microsoft.com/askds/2015/04/01/migrating-your-certification-authority-hashing-algorithm-from-sha1-to-sha2/
if you create with a new key, the only thing you need to make sure, is that the root certificate is published to a valid AIA location
· Update the configuration on the CA that issued its certificate and then renew with a new key.
· If it is a Root CA then you also need to renew with a new key.
from this blog: https://blogs.technet.microsoft.com/askds/2015/04/01/migrating-your-certification-authority-hashing-algorithm-from-sha1-to-sha2/
if you create with a new key, the only thing you need to make sure, is that the root certificate is published to a valid AIA location
ASKER
Soory for my lack of knowledge.
"Update the configuration on the CA that issued its certificate and then renew with a new key."
Is that certutil Certuti -setreg ?
"Update the configuration on the CA that issued its certificate and then renew with a new key."
Is that certutil Certuti -setreg ?
ah .... i probably was a bit short on that last message
do this to change to SHA256
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
do this to change to SHA256
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
ASKER
Thanks Jacob.
Should I run certutil -crl at the end?I appreciate your help.
Should I run certutil -crl at the end?I appreciate your help.
there is no need to... new Root key does mean all keys stil alive that are signed by the old key will need resigning as well.
(unless you start a new root, new id etc. then they can live in parallel until you revoke the old root).
2. should not happen if old CA key is reissued identically (signing still matches), ID's are the same.
if there is a parallel certificate it is just like switching from CA root. As log as both root can be verified the both should work.
My question to you .... just to practice all the situations on your site, why not try this in with lab system...
That will also provide you with the training you need for transition and when to do what and how long actions take.
As wel as provide a chance to exercise.