We have a root Ent CA root server with SHA1 and Key Storage provider (KSP) running on Windows 2012 R2. We are planing to move it from SHA1to SHA2. I have couple of questions hope someone shed the light on it.
Right now, We have root cert certificate#0 with SHA1. i guess that we have to renew the root certificate for SHA2 for future clients certificates by issuing Certutil -setreg ca\csp\CNGHashalgorithm SHA256 ,
1. Will this command change certificate#0 to 256 from SHA1 or I have to renew root CA and get certificate#1 ?
2. We have a authentication server with SHA1 cert , will there be any issue if a user's PC get renewed with SHA2 certificate before the authentication server?