Active Directory Certificate Authority Sha1 to Sha2 Migration 實錄

 

做PKI,玩Cert related 嘅東東。唔係Public , 就係Private。
Public Cert 大多係用$$解決到。但係Internal CA唔同,整個CA又起,生Template 去到派Cert都要理。 起唔難。 但係Cert做Migration,甚至因為hash algorithm 進步已顯生嘅問題先係難。

基於Sha1已經唔安全,而Windows Server 2003 base CA 嘅 “Microsoft Strong Cryptographic Provider” 亦唔Support SHA2。所以需要Migrate 兼轉去新嘅 Key Storage Provider (KSP)

Backup , Migration, Restore Procedure 跟M$ Article 都重OK。CA Backup, Registry 同CA Root Cert/ Private Key 絕對唔可以懶。 自己係呢個migration整鑊個一次,無backup神仙都難救…………………

下面第一條link , 絕對有伏。照跟就回衰。。

自己最後搵到第三條link,同自己失敗嘅經歷,係backup CA Root Cert/同往後restore用 .P12 format係會安全啲。

 

https://blogs.technet.microsoft.com/askds/2015/10/26/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy/

Credit and Reference:

https://technet.microsoft.com/en-us/library/ee126140%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

Extremely Useful Step by Step Guide

https://ammarhasayen.com/2015/02/04/sha-2-support-migrate-your-ca-from-csp-to-ksp/