This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 52%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEN%3C/text%3E%3C/svg%3E)
Hi,
We currently have a PKI infrastructure that's configured to generate SHA256 RSA 2048 certificates. We need to generate a SHA384 RSA 3072 certificate for one of our appliances. I believe these would be our options:
1.) Migrate the key size of the current PKI infrastructure to SHA384 RSA 3072. This would mean that all new certificates generated would be SHA384 RSA 3072 and that we'd be unable to generate SHA256 RSA 2048 certificates.
2.) Create a brand new root subordinate PKI infrastructure for SHA384 RSA 3072.
Please advise if I'm off the mark.
Cheers,
Ed
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Edward Narayan ,
Good day!
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
Good day!
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
Hello @Edward Narayan ,
Thank you for posting here.
Here are the answers for your references.
Q1: Migrate the key size of the current PKI infrastructure to SHA384 RSA 3072. This would mean that all new certificates generated would be SHA384 RSA 3072 and that we'd be unable to generate SHA256 RSA 2048 certificates.
A1: If we are using multiple certificates issued by the current PKI infrastructure (SHA256 RSA 2048 certificate), I means many users, computers, applications depends on the current PKI infrastructure (SHA256 RSA 2048 certificate) and we still want to use SHA256 RSA 2048 certificates in future. I suggest we can keep the current PKI infrastructure ( SHA256 RSA 2048 certificate).
We can set up the other PKI infrastructure (SHA384 RSA 3072) for one of your appliances.
When PKI infrastructure (SHA256 RSA 2048 certificate) is eliminated and PKI infrastructure (SHA384 RSA 3072 certificate) becomes the mainstream PKI infrastructure one day in future, we can retire PKI infrastructure (SHA256 RSA 2048 certificate) and continue to use PKI infrastructure (SHA384 RSA) 3072 certificate).
If the current CA issues very few certificates, we may need very few certificates for SHA256 RSA 2048 or we may not need certificates for SHA256 RSA 2048 in future. You can choose the second option--create a brand new PKI infrastructure for SHA384 RSA 3072.
Q2: Create a brand new root subordinate PKI infrastructure for SHA384 RSA 3072.
A2: We can set up a brand new root subordinate PKI infrastructure for SHA384 RSA 3072, and keep the PKI infrastructure (SHA256 RSA 2048 certificate) in your AD environment if needed.
Hope the information is helpful.
Best Regards,
Daisy Zhou
Hi Daisy,
Thanks for the answer. Would it possible to setup another subordinate CA just to issue SHA384 RSA 3072 certificates and retain our current PKI infrastructure? I'm going off this article, which mentions that this may be possible:
Cheers,
Ed
Hello,
Thank you for your update.
So you mean there is a root CA ---SHA256 RSA 2048 and two sub CA (one certificate is SHA256 RSA 2048 and the other certificate is SHA384 RSA 3072 ), is that right? If so, I think it should be OK.
Best Regards,
Daisy Zhou