regarding the SHA1 deprecation policy Micrososft Security Advisory 2880823
I operate a private CA in a large organization with thousands of web based applicationi and hudreds of Mirosoft server components and tens of thousands of client computers. If I want all my stuff to work after January 1, 2017 I need to:
1) Migrate all my end-entity certificates (website host certificates) to SHA2.
2) Convert my private root CA and intermediate CA certificates (certificate chain, chaining certificates) to SHA2.
3) Ensure the updated certificate chain (SHA2 hashed signature) is pushed to all server and client computers via GPO, etc.
Is this correct? There has been some indication by other security "experts" that indicate the policy does not affect private CA's I understand that MS via it's Root Certificate Program will only let new keys into the Browser (certificate store) that are SHA2. But if I manually configure a SHA1 signed certificate in the certificate store or push out a SHA1 certificate in group policy, will it still work? Will something else in Windows components stop SHA1 from working? Or just that the default Roots and Intermediates shipped with the browser will only be SHA2?
Let me know your reply
You can also reply me at jeff.swenson2@cigna.com
Thank you