I have inherited these systems
There is a root CA which is ONLINE and a Sub CA. It is using SHA1. This month we are hit with the google chrome 72 update whereby users are getting the privacy error
"NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM" "
You attempted to reach fqdn of our adfs server, but the server presented a certificate signed using a weak signature algorithm (such as SHA-1). This means that the security credentials the server presented could have been forged, and the server may not be the server you expected (you may be communicating with an attacker).
proceed to fqdn of our adfs server (unsafe)
We are close to the end of life for windows 2008 server and the upgrade is in the pipeline.
Is it easy to upgrade the algorithm to SHA256? What would be the knock on effects in the network? We have exchange, SQL, ADFS and many web servers. Would this stop working? Also on the ADFS to get rid of the above error do we need to update the certs?In which case we will have to supply the new cert to the third parties.
Rather than making the changes twice (one to fix the above error and then to migrate off from 2008)is it better to migrate CAs to a server 2012R2, 2016 or 2019?
And for migration what server should I use the forest root is on 2008 R2 some DCs on 2012R2 and some on 2008R2 at 2008 functional level. We will be migrating all the ADs to 2012R2.
Should I take the CAROOT offline after the upgrade?
How long should I keep the cert validiyu for? At the moment CASUB gets a 2 year cert from CAROOT and users get certs for a maximum of 2 years from CASUB.
Any help is highly appreciated, my experience around CAs are minimal.
Thanks in advance.