none
Enable TLS 1.2 and 1.3 on Certificate authority akka PKI (Windows 2012 R2)

    Question

  • Hi,

    I need to enabled TLS 1.2 and 1.3 in my PKI environment. Can someone tell how to proceed for this?


    Kuldeep Singh

    Tuesday, May 29, 2018 7:58 AM

All replies

  • Pretty much the same as any other Windows Server. SSL 2.0 and 3.0 should already be available, so you need to first enforce the use of the protocol by removing all the older insecure protocols and ciphers. The following articles can help you on your way:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)

    https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

    Any component that uses SSL will then use the newer protocols. One word of caution, if you set RDP to use SSL, this will also use the newer protocols, which under some circumstances can cause you to be temporarily unable to reach your own servers.

    Kind Regards,

    Wednesday, May 30, 2018 7:09 AM
  • Do we need to perform these changes on both Root CA (Offline) and Subordinate CA? Is it fine to do so many changes on registry level to disable old components and enable new one?

    Kuldeep Singh

    Wednesday, May 30, 2018 8:04 AM
  • Hi Kuldeep Singh,

    These settings are per Windows Server where you want to disable the older protocols. The Root and Subordinate CAs are just two more Windows Servers in this. Though I wouldn't worry too much about the Root CA if you never approach it through anything like SSL/TLS.

    About the registry changes, it's the quality that matters, not the numbers. If each setting is spot-on what you want, the number is perfectly alright.

    Kind Regards,

    Thursday, May 31, 2018 8:56 AM
  • Is it better if i can make a group policy and deploy these setting on all Windows 2008/2012 servers?

    After this, i would get new certificate from my local CA with TLS 1.2 supportable. Is it correct?


    Kuldeep Singh

    Thursday, May 31, 2018 10:48 AM
  • Hi Kuldeep,

    Now I get what you want to do.

    For the certificates to be used in TLS1.2, don't worry about it. Any certificate that has Extended Key Usage Server Authentication will support TLS1.2 and 1.3. Typically these are the certificates issued by your webserver certificate template. Of course you do have to take the normal best practice steps, proper key length and so on.

    Kind Regards,

    Friday, June 1, 2018 6:18 AM
  • It means i do not need to do any extra steps on Root CA and SUB CA. Only need to change the required registry settings on all servers including these CA servers as well.

    Kuldeep Singh

    Friday, June 1, 2018 1:28 PM
  • Can anyone update on this?

    Kuldeep Singh

    Wednesday, June 6, 2018 9:55 AM
  • Hi Kuldeep, was out of the office for a week. Yes, your summary is spot-on.

    Tuesday, June 12, 2018 7:44 AM
  • One more confusion here. Do we need to make any changes on Web Server certificate templates? I do not see any changes are there in templates relevant to TLS version selection.

    Kuldeep Singh

    Tuesday, June 12, 2018 7:46 AM
  • Hi Kuldeep,

    No need for changes to the template.

    Tuesday, June 12, 2018 1:30 PM
  • Hi J.Couwenberg,

    I have another trick here. Can we enable TLS 1.2/1.3 and disable 1.0 using group policy and push it on all browser?


    Kuldeep Singh

    Tuesday, June 12, 2018 5:08 PM
  • Hi Kuldeep,

    You should be able to, it's all registry, which can be altered using Group Policy.

    That said, you might be happier hiring yourself a consultant for a few hours. On this forum, we're generally volunteers, at most getting some recognition when a person asking questions marks answers at such. That's cheap of course, but it also means we sometimes take a long time to answer questions, because we do that in our spare time. With a consultant you would be able to ask the questions and get the answers in real time.

    Kind Regards,

    Wednesday, June 13, 2018 1:45 PM