Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, October 29, 2012 3:00 PM
Does anyone have a good article on updating CA enterprise servers including root and all issuing servers from 1024 to 2048 key size. Are there any caveats or known issues with doing so ?
All replies (6)
Tuesday, October 30, 2012 5:42 AM âś…Answered | 1 vote
On Tue, 30 Oct 2012 04:00:03 +0000, LutzMH wrote:
going from 1024 to 2048 means having a new CA private key. Or, if you so will, a new Root CA and issuing CAs. Do you run your PKI on Windows 2008 R2 or 2003. If 2003 you may want upgrade to 2008 R2 or 2012 anyway. After you have a new PKI you can re-issue machine certificates automatically, update Radius etc. before so that your machines can logon to Wifi, just as an example. If you provide a little bit more insight about your PKI we may find an article which fits for your environment.
Renewing your CAs with a new key pair does not mean a new PKI, nor does it
require the re-issuance of existing certificates. Renewing with a new key
pair will automatically create cross-certification certificates for your
CAs (identified by the (n) at the end of the certificate and CRL filenames)
which, amongst other things all for chain and revocation checking to
continue to work for certificates that were issued prior to the renewal.
Paul Adare
MVP - Forefront Identity Manager
http://www.identit.ca
Terminal: What most people have to be before consenting to see a doctor.
Tuesday, October 30, 2012 4:00 AM
Hi,
going from 1024 to 2048 means having a new CA private key. Or, if you so will, a new Root CA and issuing CAs. Do you run your PKI on Windows 2008 R2 or 2003. If 2003 you may want upgrade to 2008 R2 or 2012 anyway. After you have a new PKI you can re-issue machine certificates automatically, update Radius etc. before so that your machines can logon to Wifi, just as an example. If you provide a little bit more insight about your PKI we may find an article which fits for your environment.
Thank you,
Lutz
Tuesday, October 30, 2012 11:36 AM
Thanks Paul for the confirmation. Can you (or anyone) recommend a good document describing the process for changing the key size on issuing servers ?
Do people agree it is a best practice for the key size configured in certificate templates not to be greater than the key size of the servers which are issuing the certs ?
Wednesday, October 31, 2012 10:44 AM | 1 vote
Follow the online guides to perform an Issuing CA certificate renewal and choose the option to use a new key pair with the required key length.
Best practice dictaces the use of 2048bit keys if possible, so your issuing CA should be using at least this level too...
Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
Monday, April 11, 2016 6:53 PM
So, no response then.
Monday, April 11, 2016 7:21 PM
So now you have moved on to four year old posts....
Provide details (or better yet, start a new thread) and and we can answer or assist
Brian