B
BLMiller
I am in the process of migrating our PKI from SHA1 to SHA2. We still have some devices on our network that do not support SHA2. However, we need to implement SHA2 for our new mobile device management. We want to be able to use certificate authentication for our mobile/laptop devices. Since we cant fully implement SHA2 on our network my plan is to standup a parallel subordinate CA and leave the offline root as a SHA1. The next step I wanted to do is to limit our SHA2 CA to only a handful of templates that will be needed for the mobile device authentication.
We use 802.1x for all device authentication to our network with multiple NPS servers and hundreds of NPS policies. My plan for this is to create a single policy for mobile devices that requires the SHA2 certificate for authentication. Which we have an NDES server for issuing certificates to these devices.
I attempted to upgrade us from all SHA1 to SHA2 certificates earlier this week and it was a total failure. I had to roll back all changes and restore some stuff from backup to get everyone working quickly. We have 3k wireless devices and connecting everyone of them to the network is just not an option.
Does anyone here have any experience setting up a parallel issuing ca with different hash algorithms. What should I expect as far as issues. We will have to keep our SHA1 ca online for at least a year as some of the devices that do not support SHA1 are budgeted for next fiscal year.
Continue reading...
We use 802.1x for all device authentication to our network with multiple NPS servers and hundreds of NPS policies. My plan for this is to create a single policy for mobile devices that requires the SHA2 certificate for authentication. Which we have an NDES server for issuing certificates to these devices.
I attempted to upgrade us from all SHA1 to SHA2 certificates earlier this week and it was a total failure. I had to roll back all changes and restore some stuff from backup to get everyone working quickly. We have 3k wireless devices and connecting everyone of them to the network is just not an option.
Does anyone here have any experience setting up a parallel issuing ca with different hash algorithms. What should I expect as far as issues. We will have to keep our SHA1 ca online for at least a year as some of the devices that do not support SHA1 are budgeted for next fiscal year.
Continue reading...