upgrade root CA to support sha2

Janus Bariñan 1,126 Reputation points
2020-11-15T15:54:55.01+00:00

Hi,

We currently have a widows 2008 r2 server running as enterprise root ca. It's the only CA on our domain. It supports only SHA1. We plan to upgrade to 2016 or 2019 and have it support SHA2 or even SHA3. What steps can you advise?

Do I need to back up the certificates public and private keys and restore them to the new machine? Will that be a seamless process or a complicated one?

What would happen to applications/devices that use sha1 certificate? Do they need to request a new one or renew?

I plan on making a standalone root CA and 2 domain member subordinate CAs (fore resiliency). Will this be a good setup?

Do windows domain member machines need a computer certificate? If so does it auto renew?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,806 questions
0 comments No comments
{count} votes

Accepted answer
  1. Daisy Zhou 22,311 Reputation points Microsoft Vendor
    2020-11-16T07:03:12.143+00:00

    Hello @Janus Bariñan ,

    Thank you for posting here.

    Here are the answers for your references.

    We plan to upgrade to 2016 or 2019 and have it support SHA2 or even SHA3. What steps can you advise?
    A1:Based on the description above, I understand you want to migrate the hash algorithm of root CA certificate from SHA-1 to SHA-256. If so, we can refer to the steps in the following link (the same steps for migrating SHA256 to SHA3).

    Certificate Services – Migrate from SHA1 to SHA2 (SHA256)
    https://www.petenetlive.com/KB/Article/0001243

    Do I need to back up the certificates public and private keys and restore them to the new machine? Will that be a seamless process or a complicated one?
    A2:Yes, firstly, we had better back up the CA and all the related configuration information and registry data.
    Secondly,migrate SHA1 to SHA256, check if we migrate to SHA256 successfylly. Then we can back up the CA and all the related configuration information and registry data again.
    Thirdly, we can add a new Windows server 2016 or Windows server 2019 to this domain. And add AD CS role and restore CA.
    Fourthly, we can check CA health.

    Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo

    What would happen to applications/devices that use sha1 certificate? Do they need to request a new one or renew?
    A3:The existing certificates will remain unaffected. But we need to check whether all your applications/devices will support SHA 256 (now your CA is SHA 256, they will issue certificates with SHA 256 in future. If any of your applications/devices does not support SHA 256, certificates issued by CA with SHA256 are SHA 256, certificates may not be used).

    I plan on making a standalone root CA and 2 domain member subordinate CAs (fore resiliency). Will this be a good setup?
    A4:If you need you can make this setup.
    Tip: The more complex the hierarchical architecture, the higher the security of the domain environment, but the management is more difficult.

    Do windows domain member machines need a computer certificate? If so does it auto renew?
    A5:Usually, they do not need. For certificate quto enrollment and auto renew, we can deploy it as below:

    1. The specific user/user group or computer/computer group must have read and autoenrollment permissions on specific certificate template.
    2. Then issue the certificate to Certificate Templates containers on CA server.
    3. Auto enroll and auto renew should be configured using GPO.

    Set Up Automatic Certificate Enrollment (Autoenroll)
    https://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.