none
AD CS + CNG on subordinate CA question

    Question

  • Hello all,

    I am working to set up a two-tier AD CS design with an offline root, and two issuing CA's.  We can't do full blown CNG support (declare it on the root ca within the CAPolicy, etc.) due to xp/2003 compatibility issues.  So, our design was to have one issuing CA for legacy SHA1 support, and another Issuing CA to support the new CNG certificates.

    During the installation of this issuing CA, we specified discretesignaturealgorithm=1 within the CApolicy.inf file used here, and in the request file I can see where the signature algorithm is using sha256. However, when I issue the request, obtain the CA certificate from the root, the algorithm only shows SHA1. I am confused at this point.. Did I miss a step somewhere??? Any and all help is greatly appreciated!!

    Thanks!

    Monday, January 31, 2011 4:45 PM

Answers

  • A couple of things.

    1) There was a change after the publication of the 2008 PKI book, the correct entry is AlternateSignatureAlgorithm instead of DiscreteSignatureAlgorithm

    2) Do not use this any where in the CA hierarchy if you plan to have XP either trust the certificate, validate the certificate, use the certificate in chain validation, or receive a certificate from the CA. Even though XP SP3 allows validation of certiifcates that use SHA2 in the CA hierarchy, and KB 968730 allows limited enrollment of certificates that are signed by a CA using SHA2, any use of discrete signatures blocks out XP entirely.

    3) Even though you request SHA2, the root CA is configured to sign with SHA1, so it will continue to use SHA1

    Brian

    Monday, January 31, 2011 6:51 PM
  • As long as when you set up the subordinate CA, you designate SHA2 for its certificate (and future signing), you should be alright.

    When you submit the request to the root CA, it will sign with **its** signing algorithm (SHA1).

    The subordinate CA should sign with SHA2 (based on your original configuration of the subordinate CA)

    Brian

    Monday, January 31, 2011 7:31 PM

All replies

  • A couple of things.

    1) There was a change after the publication of the 2008 PKI book, the correct entry is AlternateSignatureAlgorithm instead of DiscreteSignatureAlgorithm

    2) Do not use this any where in the CA hierarchy if you plan to have XP either trust the certificate, validate the certificate, use the certificate in chain validation, or receive a certificate from the CA. Even though XP SP3 allows validation of certiifcates that use SHA2 in the CA hierarchy, and KB 968730 allows limited enrollment of certificates that are signed by a CA using SHA2, any use of discrete signatures blocks out XP entirely.

    3) Even though you request SHA2, the root CA is configured to sign with SHA1, so it will continue to use SHA1

    Brian

    Monday, January 31, 2011 6:51 PM
  • Ahhh.. Thanks for the response!

    Yes, you hit the nail on the head, I pulled 'discretesignaturealgorithm' from your book .. :) :) :) I'll note that change in my documentation

    On option 3 though, you mentioned:

    3)Even though you request SHA2, the root CA is configured to sign with SHA1, so it will continue to use SHA1..

    Based on a blog post I found from you, it stated.. It is better to either:1) Set up a separate CA hierarchy for CNG2) Deploy using RSA with SHA1, but change to a SHA2 algorithm once all clients are compliant (support SHA2 signatures)3) Only deploy separate issiuing CAs (or policy CA with separate issuing CAs) that deploy CNGHTH,Brian

    Can the Issuing CA still issue certificates to client signed with SHA2?? Even if the root is only SHA1?

     


    Monday, January 31, 2011 7:25 PM
  • As long as when you set up the subordinate CA, you designate SHA2 for its certificate (and future signing), you should be alright.

    When you submit the request to the root CA, it will sign with **its** signing algorithm (SHA1).

    The subordinate CA should sign with SHA2 (based on your original configuration of the subordinate CA)

    Brian

    Monday, January 31, 2011 7:31 PM
  • Awesome! Thank you so much for your help (as always) :)

    Since we've installed the Issuing CA's certificate with the 'discretesignaturealgorithm' in place (which now needs to be alternatesignaturealgorithm instead;

    How would you recommend accomplishing that? As it's written in the CAPolicy file and used when the actual AD CS role was installed??

    Thanks again!

    Monday, January 31, 2011 7:40 PM
  • It simply created a registry entry that is unknown (like a typo).

    I would probably recommend not using it (just delete the line).

    I would only recommend using it once you move to ECC algorithms for assymetric encryption.

    Remember, that XP does not recognize any of those certs

    Brian

    Monday, January 31, 2011 8:43 PM