Thanks Jason. So do you think I should re-do the template and manually change that Minimum key size to 2048.
From: [email protected] [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Friday, January 29, 2016 4:40 PM To: [email protected] Subject: [mssms] RE: ConfigMgr certs / SHA-2 The thumbprint is just an identifier and having it use SHA-1 is not a security concern -- to my knowledge, it's not changeable either. The signature algorithm is what dictates the security of the cert. Thus, your template is fine and you did it right (based on the below). Also, don't confuse cert template version and cert version. Once again two different things. If you chose Windows Server 2003 during template creation, you're fine. I concur with 1024 recommendation also - use 2048. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Beardsley, James Sent: Friday, January 29, 2016 10:59 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: ConfigMgr certs / SHA-2 That was my concern. We are trying to do 2048 so it would seem that I did not create this template correctly. However, when I created the template, because I had to choose 2003 compatibility, the "Provider Category" option under Cryptography is grayed out and set to "Legacy Cryptographic Service Provider" which is what we are trying to get rid of. I cannot select "Key Storage Provider". It seems when Legacy is selected, the default value in the Minimum key size field is 1024. The Technet instructions do not specify to change that to 2048 so I left it as default. Hence, my confusion... From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Wolf, Daniel Sent: Friday, January 29, 2016 11:18 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: ConfigMgr certs / SHA-2 I don't know the larger answer, but: Do not make RSA1024 certs, they are outdated, this is Microsoft official guidance. Use RSA2048. Thumbprints are just for visual comparison and not important From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Beardsley, James Sent: Friday, January 29, 2016 10:07 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: ConfigMgr certs / SHA-2 So I created a new template based on the instructions from Technet and I'm a little confused by the details of a new cert that I enrolled off that template. As you can see, first thing it says is it's a V3 cert and Technet states it must be V2 template. Secondly, the Signature algorithm says it's a SHA256 but at the bottom, the Thumbprint algorithm says it's a SHA1. So it makes me think I created the template incorrectly. (Note: I can see in the ClientIDManagerStartup.log that the client is detecting the cert from the new CA and its successfully validating it and using it.) [cid:[email protected]] From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Olsson Mats (4004) Sent: Wednesday, January 27, 2016 2:24 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] SV: ConfigMgr certs / SHA-2 As Jason says there is a difference between templates and algorithms. We did migrate our environment to SHA-2 last summer and it just works. Just remember to import both chains into SCCM during the migration period and make sure that CRL checking works Best Regards Mats Från: [email protected]<mailto:[email protected]> [mailto:[email protected]] För Jason Sandys Skickat: den 26 januari 2016 22:23 Till: [email protected]<mailto:[email protected]> Ämne: [mssms] RE: ConfigMgr certs / SHA-2 Two different things. Cert template types != hash algorithm used by certs. Version 2 Cert templates support SHA-2 algorithms no problem. Correct with the v3 cert templates, the client agent will not try to use them - it will see them an ignore them. >From memory, the only issue today are AMT/vPRO certs which only support SHA-1 >but that set of functionality is deprecated in ConfigMgr anyway so it's not >really an issue. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Beardsley, James Sent: Tuesday, January 26, 2016 3:09 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] ConfigMgr certs / SHA-2 Due to the Jan 2017 date in which Windows will no longer trust SHA-1 certificates, we're building a new CA that is SHA-2. I noticed that on TechNet, it still says that we must use 2003 compatibility (version 2) for all ConfigMgr related certs. How is this going to work later on down the road when SHA-1 certificates are no longer supported? And what would happen if we built a Workstation Certificate that was version 3? Does it just flat out not work? Certainly, at some point, I would think SHA-2 certs will be supported. https://technet.microsoft.com/en-us/library/gg699362.aspx Thanks, James Beardsley | Firm Technology Group Dixon Hughes Goodman LLP [cid:8644FC49-D5C9-45AE-B387-04FAFC0CC7A5]<http://www.dhgllp.com/> ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation. ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation. ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation. ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation.
