locked
PKI: SHA1 and SHA256 coexist? RRS feed

  • Question

  • I have a SHA256 PKI environment that is working well; however, I now have two new projects that only support SHA1.

    I want to stand up an online, standalone PKI root just for the SHA1 certificates.  Should the new root be in a workgroup, or can it exist as a domain member?  I do not want to create any conflicts between the two environments.

    Thanks in advance!


    tina, just tina
    • Moved by Brent Hu Friday, May 27, 2011 2:19 AM (From:General)
    Monday, May 23, 2011 4:24 PM

Answers

  • Hi,

     

    First, SHA1 and SHA256 coexist. The multiple CAs is independent each. All issued CA will be published to AD under CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com. When the clients tried to submit a request, it will contact all CAs under Enrollment Services one by one (there is no priority).

     

    As we know, Windows XP and 2003 do not support SHA2 hashing algorithms (SHA256, SHA384, and SHA512) in the X.509 certificate, so for these computers, they only get the certs from your SHA1 Root CA.


    I would like to provide you some reference about SHA2:

    Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption

    http://support.microsoft.com/kb/968730

    SHA2 and Windows

    http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx

     

    Thanks.

    • Marked as answer by Brent Hu Monday, May 30, 2011 3:36 AM
    Friday, May 27, 2011 9:25 AM

All replies

  • Hello,

    I recommend that you ask them here:

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads

    http://social.technet.microsoft.com/Forums/en-US/ocssecurity/threads

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

    • Proposed as answer by Meinolf Weber Monday, May 23, 2011 9:04 PM
    Monday, May 23, 2011 5:32 PM
  • Hi,

     

    First, SHA1 and SHA256 coexist. The multiple CAs is independent each. All issued CA will be published to AD under CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com. When the clients tried to submit a request, it will contact all CAs under Enrollment Services one by one (there is no priority).

     

    As we know, Windows XP and 2003 do not support SHA2 hashing algorithms (SHA256, SHA384, and SHA512) in the X.509 certificate, so for these computers, they only get the certs from your SHA1 Root CA.


    I would like to provide you some reference about SHA2:

    Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption

    http://support.microsoft.com/kb/968730

    SHA2 and Windows

    http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx

     

    Thanks.

    • Marked as answer by Brent Hu Monday, May 30, 2011 3:36 AM
    Friday, May 27, 2011 9:25 AM
  • Meanwhile Microsoft has issued updates so that both Windows XP and Windows Server 2003 can use SHA2-signed certificates.

    I don't have the KB article numbers at hand, but please keep in mind that both OS are deprecated!

    Wednesday, July 19, 2017 10:03 AM