After a fairly lengthy break from writing these guides, I’m back with a fairly hot topic at the moment for a lot of organisations. The Migration from SHA1 PKI to SHA2 (Or SHA256 as you may have heard)
All the SSL Certificates you can buy now a days (Symantec/go daddy etc.) no longer use SHA1. In fact I don’t think you’ve been able to get one for a good year or more. I remember Symantec stopping their SHA1 issues certs quite some time ago.
However what about your internal PKI infrastructure. Unless you’ve recently migrated there’s a good chance you are going to be running SHA1. Internally (within reason) this isn’t a “massive” problem, however the issue is the majority of web browsers have now stopped supporting SHA1 and will show you a warning regarding the encryption on the secure site you are visiting. (The famous click here to proceed to this website, or a red address bar instead of green address bar). See the image below as an example.
This is not a new issue, it’s been know about for years but like all things in IT things are often left to the last minute (case in point 2003 end of life…how many people found themselves doing last minute 2003 > 2008 or 2012 AD Migrations?..)
Whilst the upgrade is fairly simple, I’m going to aim to spread this guide out over a couple of parts.
1) Current SHA1 Environment – An overview of the PKI environment I’ll be upgrading. I’ve followed a standard enterprise deployment scenario so you can try and relate this to your environment.
2) Upgrading from SHA1 to SHA2 – Self-explanatory but will document the upgrade process.
3) Common questions and scenarios around the updated environment – Questions you may want to ask but can’t find answers to elsewhere. E.G what happens to certs already issued when you update to SHA2? What do the clients see? What happens to internal webservers? I’ll try and cover a number scenarios that maybe familiar to your environment.
With that said, it’s time to crack on with part 1…