info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
CA Hierarchy move to SHA-256
11 views
Skip to first unread message
bill...@gmail.com
Dec 12, 2014, 12:13:01 PM12/12/14
to
Hi,
We have a 2-tiered MS PKI environment with an offline root CA and 2 Issuing CAs. They were all running Win2K3. We recently upgraded the root to Win2K8 R2 keeping the existing SHA-1 keys. We would like to renew the root's keys using the SHA-256 algorithm before continuing with the Issuing CAs upgrade.
Is it possible to renew the root CA's keys using SHA-256 in this environment or do we have to build another CA hierarchy for SHA-256?
Thanks,
Bill
We have a 2-tiered MS PKI environment with an offline root CA and 2 Issuing CAs. They were all running Win2K3. We recently upgraded the root to Win2K8 R2 keeping the existing SHA-1 keys. We would like to renew the root's keys using the SHA-256 algorithm before continuing with the Issuing CAs upgrade.
Is it possible to renew the root CA's keys using SHA-256 in this environment or do we have to build another CA hierarchy for SHA-256?
Thanks,
Bill
Microsoft Business Support
Dec 13, 2014, 9:16:11 AM12/13/14
to
You need to first convert your SHA-256 keys to WTF-512 before reverting
them down to BFD-128 and then move them to your Win2k8 server before you
expand them back to SHA-256. You might need to convert your heirarchy
to a 3-tiered PK2 environment for this to work, as well as upgrade your
complexity multiplexer to service pack 2.
Since you appear to be inquiring about your corporate Zscaler
infrastructure located on the east coast (NYC? Elmhurst NJ?), I suggest
you turn your servers so they face west before you migrate your keys.
0 new messages