Changing Windows PKI to issue SHA384 RSA 3072 certificates

asked 2020-08-26T00:26:06.807+00:00
Edward Narayan 1 Reputation point

Hi,

We currently have a PKI infrastructure that's configured to generate SHA256 RSA 2048 certificates. We need to generate a SHA384 RSA 3072 certificate for one of our appliances. I believe these would be our options:

1.) Migrate the key size of the current PKI infrastructure to SHA384 RSA 3072. This would mean that all new certificates generated would be SHA384 RSA 3072 and that we'd be unable to generate SHA256 RSA 2048 certificates.

2.) Create a brand new root subordinate PKI infrastructure for SHA384 RSA 3072.

Please advise if I'm off the mark.

Cheers,

Ed

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,294 questions
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2020-08-26T07:28:09.587+00:00
    Daisy Zhou 12,836 Reputation points Microsoft Employee

    Hello @Edward Narayan ,

    Thank you for posting here.

    Here are the answers for your references.

    Q1: Migrate the key size of the current PKI infrastructure to SHA384 RSA 3072. This would mean that all new certificates generated would be SHA384 RSA 3072 and that we'd be unable to generate SHA256 RSA 2048 certificates.

    A1: If we are using multiple certificates issued by the current PKI infrastructure (SHA256 RSA 2048 certificate), I means many users, computers, applications depends on the current PKI infrastructure (SHA256 RSA 2048 certificate) and we still want to use SHA256 RSA 2048 certificates in future. I suggest we can keep the current PKI infrastructure ( SHA256 RSA 2048 certificate).

    We can set up the other PKI infrastructure (SHA384 RSA 3072) for one of your appliances.

    When PKI infrastructure (SHA256 RSA 2048 certificate) is eliminated and PKI infrastructure (SHA384 RSA 3072 certificate) becomes the mainstream PKI infrastructure one day in future, we can retire PKI infrastructure (SHA256 RSA 2048 certificate) and continue to use PKI infrastructure (SHA384 RSA) 3072 certificate).

    If the current CA issues very few certificates, we may need very few certificates for SHA256 RSA 2048 or we may not need certificates for SHA256 RSA 2048 in future. You can choose the second option--create a brand new PKI infrastructure for SHA384 RSA 3072.

    Q2: Create a brand new root subordinate PKI infrastructure for SHA384 RSA 3072.

    A2: We can set up a brand new root subordinate PKI infrastructure for SHA384 RSA 3072, and keep the PKI infrastructure (SHA256 RSA 2048 certificate) in your AD environment if needed.

    Hope the information is helpful.

    Best Regards,
    Daisy Zhou