![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 15%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
20,223 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
Welcome to ask here!
For your questions:
- Pki infrastructure supports newer and legacy apps, you can consider keep the old PKI for the old apps and use the new PKI for the newer app. Test each application in the environment that leverages certificates. When run into an application that does not support SHA2 I would contact the vendor and get on record when they are going to start supporting SHA2 or ask the application owner when they are planning to stop using the application. Once all this is documented I would revisit these end dates to see if the vendor has updated support or find out if the application owner has replaced the application with something that does support SHA2 algorithms.
Following link for your reference: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/migrating-your-certification-authority-hashing-algorithm-from/ba-p/400300
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/choosing-a-hash-and-encryption-algorithm-for-a-new-pki/ba-p/256160 - Yes, the old PKI infra work side by side with the newly built PKI heirarchy while slowly migrating to the new one.
- You can set the enroll permission on the template for users and clients.
If you want to the clients and users to enroll a certificate, give the read and enroll permission on the template. - You can refer to the migration steps if you have a backup for the CA server already.
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674 - If you mean that using the new PKI to issue certs, yes.
You may configure the auto-enrollment:
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates
Best Regards,