locked
Migrating SHA-1 to SHA-2 RRS feed

  • Question

  • Hi

    With Microsofts plan to depreciate SHA1, and the need to migrate Certificate Services to use SHA2 (SHA256). I understand that the Root CA needs to be changed so that it not longer uses legacy CryptoAPI before it will issue certificate based on anything other than SHA1.

    However what happens if clients are using NDES to issue certificates to network devices, and those devices require a legacy API (like this situation for example).

    Many client are using SCEP what are they going to do after February 2017?

    Pete


    Regards Pete Long http://www.petenetlive.com

    • Moved by Amy Wang_ Monday, October 10, 2016 1:19 PM PKI related from Windows Server 2012 Setup forum
    Monday, October 10, 2016 9:10 AM

Answers

  • Pete, the issue you linked to is because AlternateSignatureAlgorithm was specified - which enables PKCS #1 v2.1 signatures which has compatibility issues. This has nothing to do with NDES, SHA1 deprecation or SCEP. So if you want to move away from SHA1, then you need to make sure your clients, device and anything else using the certificates can validate and trust SHA2 certificates. Then you can change your CAs over to using SHA2 moving forward.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Marked as answer by PeteLongMVP Wednesday, October 12, 2016 8:37 PM
    Monday, October 10, 2016 3:39 PM

All replies

  • Pete, the issue you linked to is because AlternateSignatureAlgorithm was specified - which enables PKCS #1 v2.1 signatures which has compatibility issues. This has nothing to do with NDES, SHA1 deprecation or SCEP. So if you want to move away from SHA1, then you need to make sure your clients, device and anything else using the certificates can validate and trust SHA2 certificates. Then you can change your CAs over to using SHA2 moving forward.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Marked as answer by PeteLongMVP Wednesday, October 12, 2016 8:37 PM
    Monday, October 10, 2016 3:39 PM
  • Hi Mark,

    Thanks for the follow up, I've been running it up on the bench today to test, I was beginning to think the same way. I've spent the day changing Root CAs about, and messing around with crypto providers etc.

    I'll have NDES spun up tomorrow then I've just got to check the Code train on my Cisco devices to make sure they understand SHA2 - But my client loves to upgrade so I don't think that will sting me!

    I'll post back my findings by COP tomorrow, if I have any problems.

    Thanks Again

    Pete


    Regards Pete Long http://www.petenetlive.com

    Monday, October 10, 2016 4:01 PM
  • As promised (if a little late) Confirmed and documented.

    Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

    Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

    Pete



    Regards Pete Long http://www.petenetlive.com

    Wednesday, October 12, 2016 8:37 PM