0

I am very new to ADCS, and have a challenge to migrate our old Tire-2 PKI to SHA-256. As we were suggested to setup a parallel SHA-2 CA, I am not greeting any idea, how to go ahead with it, I can create a offline Root CA with SHA-2, but then how do I publish it to my current environment, Also how to stop using SHA-1 certs after sometime. Tried searching blogs and articles, , I was looking any step by step document, didnt find any suitable one, any suggestion would be appreciated.

Thanks

Sulu
  • 1
  • If your original Root CA is running on Server 2008 or later and you're running a KSP capable of SHA-256 (such as Microsoft Key Storage Provider), then you can simply switch your Root CA to sign SHA-256 and thereby avoid building a replacement with `certutil -setreg ca\csp\CNGHashAlgorithm SHA256`. It's an option that might save some work. – garethTheRed Nov 10 '16 at 20:01

1 Answers1

1

I can create a offline Root CA with SHA-2, but then how do I publish it to my current environment.

Pretty much the same way you initially published the old certificate. You can publish it with a group policy, and or publish it to the AD (certutil -dspublish). Mostly the directions about publishing would follow the same directions you follow for a new CA.

Also how to stop using SHA-1 certs after sometime.

You start by going to your existing CA, and modifying the existing templates and adjusting the security of those templates to prevent new certificate for those templates. Then you can simply wait for most of the existing certificates to expire, or if you need them to go away sooner, you could script their removal from any systems they are on.

Zoredache
  • 130,897
  • 41
  • 276
  • 420