Tag Archive: SHA1


Microsoft just announced they will likely stop support of SHA-1 earlier than initially planned. Now target date is June 2016 (was initially planned for January 2017)

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

https://blogs.windows.com/msedgedev/2015/11/04/sha-1-deprecation-update/

As of November 11, 2013 Microsoft issued the Windows Root Certificate Program – Technical Requirements version 2.0 , this contains the SHA1 Deprecation Policy (http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx) which says that:

Ref: https://www.comodo.com/e-commerce/SHA-2-transition.php   says:

  1. CAs must stop issuing new SHA1 SSL and Code Signing certificates by 1 January 2016.
  2. For SSL certificates, Windows will stop accepting SHA1 certificates by 1 January 2017. This means any SHA1 SSL certificates issued before or after this announcement must be replaced with a SHA2 equivalent by 1 January 2017.
  3. For code signing certificates, Windows will stop accepting SHA1 signed code and SHA1 certificates that are time stamped after 1 January 2016. SHA1 signed code time stamped by an RFC 3161 Time Stamp Authority before 1 January 2016 will be accepted until such time when Microsoft decides SHA1 is vulnerable to pre-image attack.
  4. The Program will no longer accept for distribution new root certificates with code signing use supporting SHA1 or RSA 2048. New code signing root certificates must support SHA2 and RSA 4096.

================================================================

Recommendations and steps to upgrade an root CA to support SHA2:

https://blogs.technet.microsoft.com/xdot509/2015/12/27/transitioning-your-pki-to-sha2/

Recommendations and steps to upgrade an issuing CA to support SHA2:

first, check the current CA hash algorithm value: certutil -getreg ca\csp\CNGHashAlgorithm

http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx

http://blogs.technet.com/b/pki/archive/2011/02/08/common-questions-about-sha2-and-windows.aspx

https://technet.microsoft.com/en-us/library/dn771627.aspx

http://blogs.technet.com/b/pki/archive/2013/09/19/upgrade-certification-authority-to-sha256.aspx#pi47623=1

C:\Windows\system32>certutil -setreg ca\csp\CNGHashAlgorithm SHA256
SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\NCEMSLABCA\csp:

Old Value:
  CNGHashAlgorithm REG_SZ = SHA1

New Value:
  CNGHashAlgorithm REG_SZ = SHA256
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.

C:\Windows\system32>net stop certsvc
The Active Directory Certificate Services service is stopping.
The Active Directory Certificate Services service was stopped successfully.

C:\Windows\system32>
C:\Windows\system32>net start certsvc
The Active Directory Certificate Services service is starting.
The Active Directory Certificate Services service was started successfully.

Note: then you can simply issue certificates to clients using SHA256 even if the entire certification authority’s chain is signed with SHA1 certificates. The applications consuming the SHA256 certificates have to support the SHA256 signature on any given certificate in the chain.

After that, you  must create a new template by duplicating the default ones like “Web Server” to “Windows 2008 enterprise” mode to support SHA2 and CNG support, then once duplicated, go to CRYPTOGRAPHY tab of the new template and select SHA256,SHA384 or SHA512.

 

 

 

 

 

Advertisements

Here are resources and comments about ADCS migration to 2012 R2:

https://windorks.wordpress.com/2014/08/12/migrating-a-microsoft-pki/

http://blog.datacenterfromhell.net/2014/12/migrating-two-tier-microsoft-pki-from.html

Is it possible to cohabit with an old PKI hierarchy and a new PKI in a same Forest?

“Yes you can have multiple root CAs and even multiple PKIs in a single Active Directory forest. Because of the way the objects are representing those CAs are named and stored, you couldn’t possibly experience a conflict unless you tried to give more than one CA the same CA name.”

http://blogs.technet.com/b/askds/archive/2010/08/23/moving-your-organization-from-a-single-microsoft-ca-to-a-microsoft-recommended-pki.aspx

Why? USE CASE: the old 2008 R2 AD CS SHA1 hierarchy and the new SHA256 hierarchy running AD CS 2012 R2

Multiple PKI Hierarchies in the Same Environment:

http://www.postseek.com/meta/fe2eee95f5a00bd80ab13f9627e2813b

 

Step by Step AD CS 2012 R2 two-tier PKI build:

http://www.flexecom.com/deploying-enterprise-pki-on-windows-server-2012-r2/

CAPolicy.inf syntax: http://blogs.technet.com/b/askds/archive/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax.aspx

http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx

http://davidmtechblog.blogspot.fr/2015/02/pki-public-key-infrastructure-with.html

http://kazmierczak.eu/itblog/2012/08/22/the-dos-and-donts-of-pki-microsoft-adcs/

 

http://pleasework.robbievance.net/howto-install-a-2-tier-windows-2012-r2-ad-integrated-pki-infrastructure/

 

http://www.derekseaman.com/2014/01/windows-server-2012-r2-two-tier-pki-ca-pt-1.html

http://www.derekseaman.com/2014/01/windows-server-2012-r2-two-tier-pki-ca-pt-2.html

http://www.derekseaman.com/2014/01/windows-server-2012-r2-two-tier-pki-ca-pt-3.html

 

http://hanygeorge.com/blog/2-tier-pki-on-windows-server-2012step-by-step-guide/

 

Here are list of other web resources about AD CS:

2013: Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy : http://technet.microsoft.com/en-us/library/hh831348.aspx

AD CS 2008 R2 Installation Getting Started Guide: http://technet.microsoft.com/en-us/library/cc753802(WS.10).aspx

Downloadable, printable job aids which include the most commonly used commands and procedures for administering Server Core installations are available at http://go.microsoft.com/fwlink/?LinkId=151984.

Steps for installing a server role on a Server Core installation of Windows Server 2008 R2:

Unlike Windows Server 2008, Server Core installations of Windows Server 2008 R2 use Dism.exe to install and uninstall most server roles. For more information about Dism.exe, see http://technet.microsoft.com/en-us/library/dd772580(WS.10).aspx.

Installing Windows Features on a server running a Server Core installation of Windows Server 2008 R2: http://technet.microsoft.com/en-us/library/ee441253(WS.10).aspx

Installing AD CS on a Server Core installation of Windows Server 2008 R2: By using PowerShell script: Setup Certification Authority with PowerShell

How to request and install a certificate on a server core: http://social.technet.microsoft.com/Forums/en-US/winservercore/thread/97d388e8-eb88-4744-b47a-938065849deb/

AD CS and PKI Step-by-Steps, Labs, Walkthroughs, HowTo, and Examples:

http://www.microsoft.com/download/en/details.aspx?id=22838

AD CS 2008 step by step: http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx

http://social.technet.microsoft.com/wiki/contents/articles/4797.aspx

AD PKI 2003 step by step: http://technet.microsoft.com/en-us/library/cc772670(WS.10).aspx

How to configure Certificate based authentication for OWA: http://msexchangeteam.com/archive/2008/10/07/449942.aspx

=> Example Step by Step: http://www.corelan.be/index.php/2008/07/14/windows-2008-pki-certificate-authority-ad-cs-basics/

Checklist: Configuring certificate Auto-Enrollment:

=> http://technet.microsoft.com/en-us/library/cc773385(WS.10).aspx

Checklist: Decommissioning a certification authority

=> http://technet.microsoft.com/en-us/library/cc786938(WS.10).aspx

Troubleshooting: http://technet.microsoft.com/en-us/library/cc758774(WS.10).aspx

ADCS Certificate Templates, how to, best practices and troubleshooting:

http://www.microsoft.com/download/en/details.aspx?id=7429

http://technet.microsoft.com/en-us/library/cc758496(WS.10).aspx

Certificate Services How To… http://technet.microsoft.com/en-us/library/cc737760(WS.10).aspx

French technet articles: http://technet.microsoft.com/fr-fr/library/cc770357(WS.10).aspx

Checklist: Creating a certification hierarchy with an offline root certification authority:

=> http://technet.microsoft.com/en-us/library/cc737834(WS.10).aspx (superseded by: http://social.technet.microsoft.com/wiki/contents/articles/2900.aspx )

ADCS and firewall ports: http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx

ADCS FAQ: http://social.technet.microsoft.com/wiki/contents/articles/1587.active-directory-certificate-services-ad-cs-public-key-infrastructure-pki-frequently-asked-questions-faq.aspx

ADCS: Clean CA db

http://blogs.technet.com/b/askds/archive/2010/08/31/the-case-of-the-enormous-ca-database.aspx

ADCS: New Hotfix to fix the CA private key missing from system states backups:

http://support.microsoft.com/kb/2603469

AD CS – Permissions and delegation model:

http://technet.microsoft.com/en-us/library/cc732590.aspx

https://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance.aspx

AD CS tool to install: PKI smtp exit module

http://social.technet.microsoft.com/wiki/contents/articles/active-directory-certificate-services-smtp-exit-module-for-windows-server-2008-r2-example.aspx

ADCS NDES/SCEP:  http://www.microsoft.com/download/en/details.aspx?id=1607

http://www.windowsitpro.com/article/security/setting-up-network-device-enrollment-service-

ADCS CEP/CES: http://www.microsoft.com/download/en/details.aspx?id=1746

http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM329

AD CS Online Responder Services (OCSP) in a Network: http://www.microsoft.com/download/en/details.aspx?id=17877

http://technet.microsoft.com/en-us/library/cc753468(WS.10).aspx

http://blogs.technet.com/b/askds/archive/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp.aspx

AD CS Online Responder Services (OCSP) in high availability mode with NLB:

http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v-high-availability.aspx

 

ADCS deploying cross-forest certificate enrollment:

http://www.microsoft.com/download/en/details.aspx?id=17877

http://technet.microsoft.com/en-us/library/ff955845(WS.10).aspx

ADCS operations tasks: http://technet.microsoft.com/en-us/library/cc771702(WS.10).aspx

ADCS and Powershell: http://blog.powershell.no/2011/01/09/working-with-active-directory-certificate-services-from-windows-powershell/

Codeplex: PKI Powershell module: http://pspki.codeplex.com/