gez74 avatar image
0 Votes"
gez74 asked gez74 edited

Legacy sha1 certificate

After a root certificate has been renewed (using existing key pair) from sha1 to sha2, the sha1 root certificate is still deployed (along with the new sha2 root certificate) to domain joined devices to both the Trusted root certificate store and the intermediate store.

The architecture in place is an offline Enterprise root CA with Sub CA's. There is no custom GPO set up to deploy the root certificates.

Is it possible (or recommended) to remove the old sha1 certificate from AD so that it is not auto-enrolled on domain joined devices? If so, what is the process for doing this?

I noticed that the new sha2 certificate has the previous CA Certificate Hash attribute set.

Thanks for any advice.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers