We are going to be replacing our internal Server 2008 CA with a 2 tier 2012 R2 setup with one offline server and one online CA server.
I noticed all the installation guides I saw that were written before the SHA1 debacle last year were suggesting to use the weakest possible SHA1 certificate signing because it was believed SHA256 was overkill.
Every few months for the last several months some new revelation comes out that nobody noticed before (SSL 3.0 determined to be too weak, SHA1 determined to be too weak, everyone "forgot" that export-grade ultra-weak encryption was still enabled even though there is no reason it should ever be used. And on and on). What's going to be next?
So, now SHA256 is the "minimum" that should be used. Why keep choosing minimums? Why not just go to SHA 512 now when building a new CA and not have to worry about having to scramble to quickly update and redploy overly weak certificates again in a few years or maybe less?
Is there a loss of compatability with SHA512 signed certificates? Does SHA512 work with Windows 7, IE10, EAS 2010 and Lync 2010 ext?
- Edited by MyGposts 5 hours 44 minutes ago