I have done a lot of research and planning and now know the directions I want to go. Since this is not something I normally do I was hoping there may be some outside counsel I could use to clarify a few points before solidifying the design.
CURRENT STATE:
We are currently running our CA on Windows 2012 R2. This was moved from Windows 2003.
Since this was migrated from a 2003 CA, we are still running Cryptograaphic Service Provider (CSP). Only web and domain controller certificates have been issued from this environment.
DESIRED STATE:
We need to move from a CSP and SHA-1 to a Key Storage Provider (KSP) and SHA-2
I am in the process of architecting a new 2-Tier PKI environment on Windows 2012 R2 servers. This will be replacing the role as the issuing certificate server for all new requests. The root and issuing CA are both Windows 2012 R2 servers. There will also be another Intermediate CA for our Web Filter solution
- I cannot see any compelling reason to take the Root CA offline. It seems like much more of a pain than it is worth. Am I missing something?
- Since I will be keeping the root online, do I install the Root CA as an Enterprise or Standalone CA?
- For the Root CA I plan to select SHA1 with a key length of 4096 for the cryptography. Would you suggest I select SHA256?
- For the Issuing CA I plan to select SHA256 with a key length of 2048. Is this what you would recommend?
- I plan to set the validity periods as 20-years for the Root CA, 10-years for the Issuing CA, and 5-years for issued certificates. Do you foresee any issues with this?
- In order to remove the dependency on a server name I plan to publish the Root and Issuing AIA and CRL to the following locations, which will be hosted from the Issuing CA: http://certificate.DOMAIN.com/CertData/<CAName><DeltaCRLAllowed>.crl http://certificate.DOMAIN.com/CertData/<ServerDNSName>_<CAName><CertificateName>.crt
(4 files total) This will only be resolvable internally. Any issues with the root and issuing CA publishing to the same location (Different file names)?
- When I have the new Root/Issuing servers online and configured I plan to disable all templates from the old certificate environment. I will leave these 2 servers online until all issued certificates have expired. Do you see any issues with this?
- We still have some XP and 2003 servers online. They are in the process of being removed. Is there any issue with specifying the AlternateSignatureAlgorithm=1 parameter in the new environment?