I have a SHA256 PKI environment that is working well; however, I now have two new projects that only support SHA1. I want to stand up an online, standalone PKI root just for the SHA1 certificates. Should the new root be in a workgroup, or can it exist as a domain member? I do not want to create any conflicts between the two environments. Thanks in advance!tina, just tina

Hello, I recommend that you ask them here: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads http://social.technet.microsoft.com/Forums/en-US/ocssecurity/threads This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

you can safely setup new PKI in your AD forest without any issues. However for security reasons (not compatibility) it is recommended to maintain offline root.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

You can also (Vadims correct me if i'm wrong), have an offline root CA issue a SHA1 certificate to down level Issuing CA's... On one of the Issuing CA's that you wish to issue down level SHA2 with, configure this Issuing CA to utilize SHA2. Long story short, you can have an offline root CA that is SHA1, and stand up a new Enterprise Issuing CA below the root that utilzes SHA2. Again, correct me if i'm wrong.. :)

You can also (Vadims correct me if i'm wrong), have an offline root CA issue a SHA1 certificate to down level Issuing CA's... On one of the Issuing CA's that you wish to issue down level SHA2 with, configure this Issuing CA to utilize SHA2. Long story short, you can have an offline root CA that is SHA1, and stand up a new Enterprise Issuing CA below the root that utilzes SHA2. Again, correct me if i'm wrong.. :) Generally it is useless to maintain SHA1 root and SHA2 down-level CAs for obvious reasons. The most important CA (root) will still maintain less-secure SHA1 algorithm. This means that if you wish to utilize SHA2 benefits it is useful to maintain two different roots.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Thanks for the replies. I was able to stand up a new root using SHA1. I have assigned permissions for the new root to several new templates. Everything looks good, except that when I load certsrv, I do not see the "Certificates Templates" node. When I browse to https://servername/certsrv, I do not see any of the customized templates to issue. Any thoughts?tina, just tina

This is because you setup Standalone CA. Standalone (rather than Enterprise CA) CA don't use certificate templates. Instead all required information must be included in the certificate request.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Ah, I see now. Thanks so much!tina, just tina

Hi, First, SHA1 and SHA256 coexist. The multiple CAs is independent each. All issued CA will be published to AD under CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com. When the clients tried to submit a request, it will contact all CAs under Enrollment Services one by one (there is no priority). As we know, Windows XP and 2003 do not support SHA2 hashing algorithms (SHA256, SHA384, and SHA512) in the X.509 certificate, so for these computers, they only get the certs from your SHA1 Root CA. I would like to provide you some reference about SHA2: Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption http://support.microsoft.com/kb/968730 SHA2 and Windows http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx Thanks.