Share via

Upgrade Root Certificate on Certification Authority (Disable SHA-1)

Kavindu Dayananda 76 Reputation points
2020-09-21T04:21:36.087+00:00

Hi,

We have a a requirement to disable SHA-1 hash algorithm of our Root certificate as it has recommended by our security team. We want to know what services will be affected or the impact by running the steps on the below Microsoft article.

https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/

CA Server - Windows Server 2008R2

Regards,
Kavindu

Windows for business | Windows Server | User experience | Other

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-09-21T07:26:20.177+00:00

    Hello @Kavindu Dayananda ,

    Thank you for posting here.

    From the link below--SHA1 Key Migration to SHA256 for a two tier PKI hierarchy, we can see:

    If your organization uses its own PKI hierarchy (you do not purchase certificates from a third-party), you will not be affected by the SHA1 deprecation. Microsoft's SHA1 deprecation plan ONLY APPLIES to certificates issued by members of the Microsoft Trusted Root Certificate program. Your internal PKI hierarchy may continue to use SHA1; however, it is a security risk and diligence should be taken to move to SHA256 as soon as possible.

    Based on the description above, do you want to migrate the hash algorithm of root CA certificate from SHA-1 to SHA-256? If so, we can refer to the following link to migrate it.

    For single-tier Enterprise root CA.

    Certificate Services – Migrate from SHA1 to SHA2 (SHA256)
    https://www.petenetlive.com/KB/Article/0001243

    For two-tier CA with an Offline ROOT and an Online subordinate enterprise issuing CA.
    SHA1 Key Migration to SHA256 for a two tier PKI hierarchy
    https://learn.microsoft.com/zh-cn/archive/blogs/askds/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy

    All the certificate issued by old CA root certificate with hash algorithm SHA-1 have the hash algorithm SHA-1, but the certificates issued by the new root CA certificate with hash algorithm SHA256 have hash algorithm SHA256.

    If all the certificates reissued by new root CA certificate with hash algorithm SHA256 have hash algorithm SHA256, we can disable SHA-1.

    OR if all the certificates issued by old CA root certificate with hash algorithm SHA-1 are expired in future and we reissue/renew these certificates from new root CA certificate with hash algorithm SHA256, we can disable SHA-1.

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    2 people found this answer helpful.
  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  4. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.