SHA1 Migration to SHA2 - ADCS Windows 2012 R2

Question

I am a little new to AD CS and I was tasked with upgrading our entire PKI infrastructure from SHA1 to SHA256 for the SHA1 deprecation. I have read somewhere that SHA256 can read SHA1 hashes. This doesn't seem right to me so I was curious if anyone has had any experience with migrating from SHA1 to SHA256, it would be much appreciated. Listed below are the articles I have found below.

Thank you very much!

A Server 2012R2 install can understand SHA256 and SHA1. However, they are completely different hash algorithms and are not compatible. The best approach would be to build a parallel SHA256 (or SHA384/512) PKI and slowly upgrade all the older SHA1 only systems to newer SHA256 compatible systems. You may find that at the end of this process that you have a few really old systems that are out of support and won't work with SHA256. In that case, you'll have to leave two PKIs running or completely ditch those older systems. — garethTheRed, May 31 '16 at 11:49
So my best approach is to make a new Root CA with a SHA256 private key then create a policy/issuing CA to handle the certificates within the environment. I could use web enrollment so our administrators could get the certs they need in order to migrate over on their own on top of GPO deployment. How many certs can a machine hold from a single CA? Unlimited? Also is the OCSP for CRLs recommended in most environments? Once again, new to ADCS. Thank you very much for your feedback @garethTheRed — Matt L., May 31 '16 at 13:46
This is probably too large a subject to answer in ServerFault. PKI isn't trivial to do properly. Questions you should ask yourself before you start: Do you need a HSM? Is a Policy CA needed? Are you aware of the security implications of web enrollment? Are you expecting your CRL to grow much in size? How often will you update your CRLs? Will you use HTTP for CRLs or LDAP too? Etc, etc, etc... — garethTheRed, May 31 '16 at 13:57

SHA1 Migration to SHA2 - ADCS Windows 2012 R2

0 Answers0