question

JanusBarinan-8508 avatar image
0 Votes"
JanusBarinan-8508 asked FanFan-MSFT commented

upgrade pki infra

In our current setup we have an enterprise root ca online that does the issuing of certificates to end entities. It is running on windows 2008R2. It currently supports sha-1 algorithm.

We are planning to build a new pki two tier hierarchy composed of a standalone root ca (offline) and two issuing CAs(online). The first issuing CA is sha-2 while the other issuing CA is sha-1(for legacy apps).

Question:
Is this a practical setup that supports newer and legacy apps?

Can the old pki infra work side by side with the newly built pki heirarchy while slowly migrating to the new one?

How to determine which CA to select when enrolling for a certificate?

How do you recover a compromised isuing CA?

Do we manually reissue the certfificates of current app?

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,
Welcome to ask here!
For your questions:
1. Pki infrastructure supports newer and legacy apps, you can consider keep the old PKI for the old apps and use the new PKI for the newer app. Test each application in the environment that leverages certificates. When run into an application that does not support SHA2 I would contact the vendor and get on record when they are going to start supporting SHA2 or ask the application owner when they are planning to stop using the application. Once all this is documented I would revisit these end dates to see if the vendor has updated support or find out if the application owner has replaced the application with something that does support SHA2 algorithms.
Following link for your reference: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/migrating-your-certification-authority-hashing-algorithm-from/ba-p/400300
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/choosing-a-hash-and-encryption-algorithm-for-a-new-pki/ba-p/256160
2. Yes, the old PKI infra work side by side with the newly built PKI heirarchy while slowly migrating to the new one.
3. You can set the enroll permission on the template for users and clients.
If you want to the clients and users to enroll a certificate, give the read and enroll permission on the template.
4. You can refer to the migration steps if you have a backup for the CA server already.
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674
5. If you mean that using the new PKI to issue certs, yes.
You may configure the auto-enrollment:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates

Best Regards,




· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks! Will check this out.

0 Votes 0 ·

Hi,
 
Just checking in to see if the information provided was helpful.
 
If the reply helped you, please remember to accept it as an answer to end this thread.
If no, please reply and tell us the current situation in order to provide further help.

Best Regards,

0 Votes 0 ·