|
Posted by Brian Komar \(MVP\) on June 25, 2008, 4:57 pm
Please log in for more thread options It is actually simpler to change the signing algorithm for the root CA,
rather than decomissioning.
This method can also be used at a later date when you have clients (read
Vista or higher) that support CNG
Here is the process:
1) Identify the CSP used by the root CA by running "certutil -getreg
ca\csp\Provider".
2) Run "certutil -v -csplist and ensuring that SHA1 is reported as a
supported protocol.
3) If SHA1 is supported, you would then add the values assigned to Algorithm
Class, Algorithm Type and Algorithm Sub-id (typically this is 0x8004) and
run "certutil -setreg ca\csp\HashAlgorithm 0x8004".
4) After executing the command, you must restart Certificate Services.
Issue a certificate from the root, and verify that the signature uses SHA1.
You must then renew the two issuing CA certificates.
Brian
> What is the best way to recover from a scenario where you have a root CA
> and 2 issuing CAs, all Windows 2008, and the root was setup with a SHA256
> cert? Can you just change the cert? Do you have to uninstall everything
> and start over? If so, what is the best process to decommission a Windows
> 2008 PKI infrastructure?
>
> Thanks!
>
> Doug Evans
> IT Manager, AWC
>
>
>> You are mixing up certificate type (X.509 version 3) with certificate
>> template type (a MS concept of what properties/algorithms are available).
>> A couple of things to check:
>> 1) Make sure that you are using legacy CSPs and signing algorithms. (not
>> a Key storage provider)
>> 2) Windows XP/2003 cannot consume certificates using SHA2 algorithms
>> (SHA256, SHA512, SHA384).
>> 3) This is for every certificate in the chain
>> If you want, send me a PKCS#7 containing the full certificate chain for
>> inspection
>> Brian
>>
>>>I apologize for the crosspost, but we are hurting here without a
>>>resolution to this issue.
>>>
>>> We have just setup a Windows 2008 PKI Infrastructure in our Windows 2003
>>> based domain. We need to issue certificates to Windows 2003 servers and
>>> Windows XP clients. We are getting "The integrity of this certificate
>>> cannot be guaranteed. The certificate may be corrupted or may have been
>>> altered." On the Details tab of the certificate, we see version is
>>> "V3",
>>> Public key is "RSA (1024 Bits)", Thumprint algorithm is "sha1". On the
>>> Certification Path tab, every certificate shows the error "This
>>> certificate
>>> has an nonvalid digital signature.".
>>>
>>> We can generate valid certificates for Windows 2008 servers and for
>>> Vista computers. Our research indicates we need to install the version
>>> 2 templates, but don't know where to get them or how to install them.
>>>
>>> Thanks!
>>>
>>> Doug Evans
>>> IT Manager
>>> Association of Washington Cities
>>>
>>>
>>
>
| 
XML Sitemap