I'm currently managing a domain with an older CA that uses SHA1, and I'm planning to set up a new enterprise CA with a SHA256 root certificate. I'm curious if there are any specific challenges or considerations I should be aware of while doing this, or if I'm just overthinking the whole scenario.
4 Answers
There shouldn't be anything major to worry about. I’ve done this multiple times without issues. Just make sure you update all your systems to trust the new CA once you start issuing certificates. One tip: take care of your NPS policies for 802.1X, so you don’t run into any snags.
You can absolutely run two root CAs. Just make sure you install the new root CA in your environment and gradually phase out the old one. It helps to treat this like a fresh PKI setup. Additionally, I recommend keeping track of where your existing root CA is registered as a trusted root.
I used some great resources to get through a similar process, like this step-by-step guide on setting up PKI. It's got all the details for migrating without affecting existing certificates. Also, looking into YubiHSM2 could be beneficial for securing your root keys!
Yes, you can definitely have two root certificates in your domain! When you're ready to switch, cross-signing the roots can make the transition smoother. Start with the new SHA256 root and gradually move your services over from the old CA. Just remember to create your offline root as strong as possible to ensure its longevity.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures