question

sds04563 avatar image
0 Votes"
sds04563 asked DaisyZhou-MSFT commented

Migrate CSP to KSP and SHA-2 - CA certificate renewal?

Hello,

when the migration from CSP and SHA-1 to KSP and SHA-2 finished on a 1-tier-PKI, the CA signs new certificates and CRLs with SHA256.

Do I have to renew the CA certificate?
What happens if I do not renew the CA certificate?
Do I have to use "renew with new key"?

It would be nice if someone could explain his answers a little bit.

Thank you!

windows-server-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @sds04563

Hope the information provided by Crypt32 is helpful.

How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·

Hi @sds04563
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

0 Votes 0 ·

1 Answer

Crypt32 avatar image
1 Vote"
Crypt32 answered

Do I have to renew the CA certificate?

no, you don't need.

What happens if I do not renew the CA certificate?

nothing

Do I have to use "renew with new key"?

in future, never renew CA with same key. Always generate new key.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.