IPsec: Not Working after SHA 256 auto enrollment RRS feed

  • Question

  • Hello All,

    Recently came across an IPsec error in the Direct Access Operations Status page after both direct access servers auto renewed themselves from SHA1 to SHA2.

    The following criteria has been met:

    New SHA256 cert is not expired

    It does have a private key

    Configured for Client / Server authentication

    Is chained to configured root/indeterminate cert

    CRL is accessible

    SSL certificate for the IP-HTTPS listener is also purchased through a public CA therefore eliminating CRL issues.

    Thanks in advance for any assistance that may be provided.

    Wednesday, June 8, 2016 6:40 PM

All replies

  • Hi,

    Have you rerun the DA wizzard? has the root been upgraded to SHA2 as well if so then you would need to pick the re-issued Root cert. once this is done then gpupdate all DA servers and clients and it should be good?


    Regards, Rmknight

    Thursday, June 9, 2016 8:34 AM
  • Hello RMknight,

    Thanks for your reply. I looked into my certificate chain. Local certificate is sha2, intermediate cert is sha256 but root is sha1. Could this be an issue within the certification path?

    Thursday, June 9, 2016 12:25 PM
  • I thought the whole chain had to be SHA2 or SHA256?

    I am not sure this would work.

    Regards, Rmknight

    Thursday, June 9, 2016 3:10 PM
  • I can investigate the root and SHA256. Funny thing is that everything is working. Clients are connecting on both nodes. Its an annoyance seeing red in the operations dashboard.
    Monday, June 13, 2016 12:39 PM