I don't know the larger answer, but: Do not make RSA1024 certs, they are outdated, this is Microsoft official guidance. Use RSA2048. Thumbprints are just for visual comparison and not important
From: [email protected] [mailto:[email protected]] On Behalf Of Beardsley, James Sent: Friday, January 29, 2016 10:07 AM To: [email protected] Subject: [mssms] RE: ConfigMgr certs / SHA-2 So I created a new template based on the instructions from Technet and I'm a little confused by the details of a new cert that I enrolled off that template. As you can see, first thing it says is it's a V3 cert and Technet states it must be V2 template. Secondly, the Signature algorithm says it's a SHA256 but at the bottom, the Thumbprint algorithm says it's a SHA1. So it makes me think I created the template incorrectly. (Note: I can see in the ClientIDManagerStartup.log that the client is detecting the cert from the new CA and its successfully validating it and using it.) [cid:[email protected]] From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Olsson Mats (4004) Sent: Wednesday, January 27, 2016 2:24 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] SV: ConfigMgr certs / SHA-2 As Jason says there is a difference between templates and algorithms. We did migrate our environment to SHA-2 last summer and it just works. Just remember to import both chains into SCCM during the migration period and make sure that CRL checking works Best Regards Mats Från: [email protected]<mailto:[email protected]> [mailto:[email protected]] För Jason Sandys Skickat: den 26 januari 2016 22:23 Till: [email protected]<mailto:[email protected]> Ämne: [mssms] RE: ConfigMgr certs / SHA-2 Two different things. Cert template types != hash algorithm used by certs. Version 2 Cert templates support SHA-2 algorithms no problem. Correct with the v3 cert templates, the client agent will not try to use them - it will see them an ignore them. >From memory, the only issue today are AMT/vPRO certs which only support SHA-1 >but that set of functionality is deprecated in ConfigMgr anyway so it's not >really an issue. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Beardsley, James Sent: Tuesday, January 26, 2016 3:09 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] ConfigMgr certs / SHA-2 Due to the Jan 2017 date in which Windows will no longer trust SHA-1 certificates, we're building a new CA that is SHA-2. I noticed that on TechNet, it still says that we must use 2003 compatibility (version 2) for all ConfigMgr related certs. How is this going to work later on down the road when SHA-1 certificates are no longer supported? And what would happen if we built a Workstation Certificate that was version 3? Does it just flat out not work? Certainly, at some point, I would think SHA-2 certs will be supported. https://technet.microsoft.com/en-us/library/gg699362.aspx Thanks, James Beardsley | Firm Technology Group Dixon Hughes Goodman LLP [cid:8644FC49-D5C9-45AE-B387-04FAFC0CC7A5]<http://www.dhgllp.com/> ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation. ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation.
