PENDING Upgrading Root CA from SHA-1 to SHA-2

[Edy]

Hi guys,

We are using SHA1 Root CA to issue self signed certificate for clients to communicate with SCCM server.

We are planning to upgrade the root CA from SHA-1 to SHA-2 and wondering if anyone knows or have step by step guide on how to migrate the certs on clients?

Can i upgrade the Root CA to SHA-2 and import the new SHA-2 root cert to SCCM as a trusted root and leave the SHA1 cert unrevoked?

Thanks

 

[Prajwal Desai]

I haven't come across this question so far. But i can help you by sending few links. Let me know if the link helps - https://blogs.technet.microsoft.com...ation-to-sha256-for-a-two-tier-pki-hierarchy/
https://www.sysadmins.lv/blog-en/sha1-to-sha2-transition-do-it-properly.aspx

 

[Edy]

Hi Prajwal, thanks for the links but i have read them as well.

Most of the threads are just telling you how to upgrade the algorithm but not specific to the aftermath of the upgrade. At this stage, am assuming that the clients wont be able to connect to the SCCM server until the new cert is published via group policy.

My other assumption is that the clients would still be able to communicate with SCCM server and i just have to change the Root CA certificate from the Sites properties and tick the "Clients check the certificate revocation list (CRL) for site systems"

 

[Prajwal Desai]

My other assumption is that the clients would still be able to communicate with SCCM server and i just have to change the Root CA certificate from the Sites properties and tick the "Clients check the certificate revocation list (CRL) for site systems"

Do you have a lab environment so that you can simulate it first and then try in prod ?.

 

[Edy]

unfortunately we dont have lab environment.

 

[Prajwal Desai]

I would recommend to try it on a test setup first.