sara2000
asked on
Renew root CA with SHA2
I have taken over the admin responsibility of a root CA. I got some knowledge after reading several posts na experts comments to my previous question.
Our server is windows 2012 R2 and cryptographic provider is KSP. In this case, I only need two steps below,
1- certutil -setreg ca\csp\CNGHashAlgorithm SHA256
2- Renew the CA's certificate with new key.
My understanding is that the server will have both SHA1 and SHA256 root certs and new certificates for devices will be issued with SHA256 if any device request. And, there will not be any issue with our RADIUS/ NPS, Printers, WI-FI, PC etc since they are using the SHA1 certificates until their renewal period reaches next year.
My confusion is that what would happen when i install a new PC?,
The new PC is going to have certificate with SHA256, but NPS server still has certificate with SHA1.
Does the HASH algo matter?
Our server is windows 2012 R2 and cryptographic provider is KSP. In this case, I only need two steps below,
1- certutil -setreg ca\csp\CNGHashAlgorithm SHA256
2- Renew the CA's certificate with new key.
My understanding is that the server will have both SHA1 and SHA256 root certs and new certificates for devices will be issued with SHA256 if any device request. And, there will not be any issue with our RADIUS/ NPS, Printers, WI-FI, PC etc since they are using the SHA1 certificates until their renewal period reaches next year.
My confusion is that what would happen when i install a new PC?,
The new PC is going to have certificate with SHA256, but NPS server still has certificate with SHA1.
Does the HASH algo matter?
ASKER
We do not have Subordinate/standalone CA. We have Windows root CA and it is issuing the certificates.
Here is my question:
For an example , the authentication server get renewed the cert today with SHA256 cert and PCs still have SHA1 certificates .
Can a PC have SHA1 cert while an authentication device/server has SHA256 cert?
Here is my question:
For an example , the authentication server get renewed the cert today with SHA256 cert and PCs still have SHA1 certificates .
Can a PC have SHA1 cert while an authentication device/server has SHA256 cert?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If Stand-alone
https://blogs.technet.microsoft.com/askds/2015/04/01/migrating-your-certification-authority-hashing-algorithm-from-sha1-to-sha2/