Hello @Janus Bariñan ,
Thank you for posting here.
Here are the answers for your references.
We plan to upgrade to 2016 or 2019 and have it support SHA2 or even SHA3. What steps can you advise?
A1:Based on the description above, I understand you want to migrate the hash algorithm of root CA certificate from SHA-1 to SHA-256. If so, we can refer to the steps in the following link (the same steps for migrating SHA256 to SHA3).
Certificate Services – Migrate from SHA1 to SHA2 (SHA256)
https://www.petenetlive.com/KB/Article/0001243
Do I need to back up the certificates public and private keys and restore them to the new machine? Will that be a seamless process or a complicated one?
A2:Yes, firstly, we had better back up the CA and all the related configuration information and registry data.
Secondly,migrate SHA1 to SHA256, check if we migrate to SHA256 successfylly. Then we can back up the CA and all the related configuration information and registry data again.
Thirdly, we can add a new Windows server 2016 or Windows server 2019 to this domain. And add AD CS role and restore CA.
Fourthly, we can check CA health.
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo
What would happen to applications/devices that use sha1 certificate? Do they need to request a new one or renew?
A3:The existing certificates will remain unaffected. But we need to check whether all your applications/devices will support SHA 256 (now your CA is SHA 256, they will issue certificates with SHA 256 in future. If any of your applications/devices does not support SHA 256, certificates issued by CA with SHA256 are SHA 256, certificates may not be used).
I plan on making a standalone root CA and 2 domain member subordinate CAs (fore resiliency). Will this be a good setup?
A4:If you need you can make this setup.
Tip: The more complex the hierarchical architecture, the higher the security of the domain environment, but the management is more difficult.
Do windows domain member machines need a computer certificate? If so does it auto renew?
A5:Usually, they do not need. For certificate quto enrollment and auto renew, we can deploy it as below:
- The specific user/user group or computer/computer group must have read and autoenrollment permissions on specific certificate template.
- Then issue the certificate to Certificate Templates containers on CA server.
- Auto enroll and auto renew should be configured using GPO.
Set Up Automatic Certificate Enrollment (Autoenroll)
https://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll
Hope the information above is helpful. If anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou