• Upgrading your Internal PKI Infrastructure from SHA1 to SHA2 – Current SHA1 Environment

    Posted on April 26, 2016 by in Troubleshooting, Tutorials



    Above you can see the environment we will be using. I’ve replicated a fairly standard PKI enterprise environment. This includes:

    • An Offline Root CA – (Cert Validity 50 Years)
    • Two Online Intermediate CA’s:
      • 1x Enterprise / AD Certificate Handling CA (MRPKI001AD)
      • 1x SSL / Application Certificate Handing CA (MRPKI002SSL)

    I won’t cover installing or configuring the above environment as it’s assumed this is already in place. I may cover this in later blogs but for now it’s focused purely on the migration/upgrade.

    We have an offline root CA (which is NOT domain joined and never has been) this is offline because it’s also shut down for the majority of the time.

    We then have two Intermediate CA’s which are ONLINE and domain joined. These are the server’s end users and computers request to.

    Also in use (that’s not pictured above but can be seen in the LAB VM’s I have running below), a windows 7 client to simulate user logging in, as well as an IIS server running a basic webpage which is secured with a SHA1 SSL Certificate.


    To dive a bit more in depth in to the environment let’s start at the top and expand as we go through.


    Here we can see the only two issued certificates from MRPKIROOT are those of MRPKI001AD and MRPKI002SSL.


    Certificate validity is 50 years.


    Not too much more to say, using the certificate for MRPKI002SSL you can see the basic certificate hierarchy.



    Coming down on to the second layer now, we have our first issuing CA. This CA has been configured to auto enrol domain joined clients with a certificate (in this example you can see the client we are using MRPC01W7 has its own machine SSL certificate, along with the domain controller).


    Moving from the second layer to third layer (client layer) you can see from the properties and chain hierarchy the issuing CA along with encryption (SHA1).



    It’s also worth noting MRPKI001AD also stores the CRL (Certificate Revocation Lists). This is important as when we come to upgrade the CA’s we will republish these signed with SHA2


    As you can see these are currently signed as SHA1



    Moving back to the second layer and on to our other issuing CA, this unlike the above has not been configured for auto enrolment. Instead this CA is used for web server certificates and application certificates. These are manually requested by the user. Again looking at the properties you can see the encryption and once again chain hierarchy.



    Moving down a layer to layer three we now come to MRIIS001. This has a basic website (pictured below)


    This is secured with the below SSL certificate. Here we can see the issuing CA along with encryption (once again SHA1).



    This covers off the environment we are using. It’s not complex, and is designed to simulate the majority of PKI environments out there.

    With the basics now covered, it’s now time to get on with the upgrade and proceed to Part 2.


Protected by WP Anti Spam