Implementing a new PKI Structure that supports SHA256

My question has to do with moving away from our old PKI environment and onto a new PKI environment I am designing.
A little background...So due to the fact that our existing PKI environment was not installed using most best practices and it only supports SHA1, I am designing a new PKI environment based on Windows Server 2012 R2.  The intention is to implement
many of the best practices Brian Komar talks about in his book and support SHA256.  When I am done I will have two PKI hierarchies...the old SHA1 hierarchy and the new SHA256 hierarchy.  I can easily move Forest members over to using new certificates,
but my concern is around internal Java applications.
Assuming the Java application owners do not have a good way of distributing the new CA certificates to their client's Trusted certificates store (I apologize for my lack of knowledge around Java), is there a way I can bridge the two PKI hierarchies? 
I have been experimenting with Cross CA certificates and Qualified Subordination, but that really seems like overkill for my situation.  These two PKI environments are within the same organization.  Is there a simpler way to essentially sign
the SHA256 root CA certificate with the SHA1 root CA, so that if the Java clients see a new SSL certificate, for example, issued from the new SHA256 CA's they will have the ability to construct the chain of trust to the old SHA1 root
CA?  This would just be a temporary solution to give us time to get the new CA certificates out there to the Java clients.
Thank you.

> is there a way I can bridge the two PKI hierarchies?  I have been experimenting with Cross CA certificates and Qualified Subordination, but that really seems like overkill for my situation.
yes, you can bridge via Qualified Subordination (Cross-Certification) and it is the only way you can bridge PKIs. However, bridging should be a temporary solution, because SHA2 PKI will chain to SHA1 root, which is not recommended.
> This would just be a temporary solution to give us time to get the new CA certificates out there to the Java clients.
then cross-certification is your best solution.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool.

Similar Messages

  • NEW VIDEO DRIVER that supports U400?

    The available graphics driver (Radeon Catalyst) for my U400 ideapad is last update in 2011 in the Lenovo website. Is there any new driver that can support my 6470M (switchable graphics)?

    This is a proprietary "system" that includes the conversion cable + software.  They work together and it appears they are Windows only.  It may be possible to use the cable itself with a Mac but there is no software from Happague for Macs.  Happauge provides no specs on the video conversion that the cable does, so there's no way to tell what software you might be able to use with it except by experiment.
    My suggestion is to get an inexpensive miniDV camcorder.  These connect to Macs via FireWire and can be used as webcams.   Borrow one if possible for testing purposes.   I have used them many times for webinars, Skyping, etc.

  • [SOLVED] Tiling wm that supports keychains and good mouse support

    I hope I'm not bringing up old questions but I couldn't really find anything useful using the search
    Basically I'm searching for a new tiling wm that supports a few things, namely:
    Keychains, absolutely necessary, dwm and i3 didn't seem to have this feature or I overlooked it
    good mouse support, hard to say when mouse support is good but configurable menus would be nice
    config files that aren't written in lua, ruby or whatnot wouldn't hurt either
    I'm using pekwm at the moment (screw the *boxes), an excellent wm, but it's no tiler...
    looking forward to useful answers
    Last edited by vanvalium (2011-04-02 00:23:34)

    I doubt that you're going to have much success finding a tiling manager with all of that baked in; most twms are made by minimalists and seem to eschew extra programs, unlike gnome and KDE.
    yeah I know, but pekwm is also pretty minimal and supports keychains
    Also, you may want to check this out: https://wiki.archlinux.org/index.php/Co … ison_table
    That was one of the pages I looked at before opening this thread here. Useful, but not in this case
    hbekel wrote:Take a look at xchainkeys. It's a standalone program to create chained keybindings independent of wm. Works best with a wm that has good scripting support, e.g. musca. I wrote because I was in the same situation as you are, looking for a tiler that supports proper keychaining.
    Thanks, I'll look into that
    You might be able to use xbindkeys to set up keychains, but it won't be trivial since you'll have to write a guile scheme config file and implement the keychaining logic on your own.
    I'm pretty sure I won't have enough time and skills to do that

  • After I download Itunes, when trying to sync Ipod, message says "needs newer version of mobile support, uninstall Itunes, and reinstall Itunes, and the same process starts all over again. why is that?

    after I download Itunes, when trying to sync Ipod, message says "needs newer version of mobile support, uninstall Itunes, and reinstall Itunes, and the same process starts all over again. why is that?

    Try removing and then reinstalling the Apple software using these instructions.
    Removing and reinstalling iTunes, QuickTime, and other software components for Windows Vista or Windows 7
    The above containes a link for XP. Also. make sure you install the correct Apple software, It comes in 32 and 64 bit and you need the one that is the same as the computer OS

  • I have received the alert that my version of Safari no longer supports Youtube viewing. I am running version 5.1.10 on OS 10.6.8. Is there an update or a newer Safari version that is compatible with my OS?

    I have received the alert that my version of Safari no longer supports Youtube viewing. I am running version 5.1.10 on OS 10.6.8. Is there an update or a newer Safari version that is compatible with my OS?

    No, not without upgrading to a higher version of the Mac OS. However, the easiest thing to do is get another browser for use with sites that don't like older versions of Saari. I always have a secondary browser on any computer, Mac or PC. For our Macs, I install FireFiox alongside Safari when setting up a new computer.
    As FireFox is updated sometimes weekly, YouTube should not have a problem with it.
    https://www.mozilla.org/en-US/firefox/all/

  • I am trying to download a free trial of photoshop for my macbook pro and it says there is an error and that the requirements for the new version is not supported for the mac I have. I have looked at the list of requirements but have no idea how to tell wh

    I am trying to download a free trial of photoshop for my macbook pro and it says there is an error and that the requirements for the new version is not supported for the mac I have. I have looked at the list of requirements but have no idea how to tell what I do and do not have?

    Apple Menu --> About this Mac.
    Mylenium

  • I recently bought a lightning to 30 pin adapter for my new iPad so that I could continue to use my 30 pin to VGA cord, but when I plug the VGA cord into it it says it is not supported. They are all apple products, so why doesn't it work?

    I recently bought a lightning to 30 pin adapter for my new iPad so that I could continue to use my 30 pin to VGA cord, but when I plug the VGA cord into it it says it is not supported. They are all apple products, so why doesn't it work?

    If it is a lightning to 30 pin adaptor, and you have a 7th Generation Nano it has to fit the Nano.
    This is lightning to 30 pin adapter: http://www.bestbuy.com/site/Apple%26%23174%3B---Lightning-to-30-Pin-Adapter/6651 936.p?id=1218803450821&skuId=6651936#tab=overview
    Is this what you bought?
    You need to contact Sony and see if they model you have is compatible with the docking adapter. It may not be.

  • I've received a message that says that the new version doesn't support AVG . This is real ?

    I've received a message (from Firefox) that says that the new version doesn't support AVG . This is real ?

    Actually the message stated that the version of the AVG extension you have did not support Firefox 7.0.1 or whatever version you were using at time.

  • I just upgraded my older G5 from tiger to leopard and it is now at 10.5.8, I was unaware that the new system did not support the classic envoirnment and cannot access my 6.0 version of Photoshop, which I use often...how do I get P.S. going again?

    I just upgraded my older G5 from tiger to leopard and it is now at 10.5.8, I was unaware that the new system did not support the classic envoirnment and cannot access my 6.0 version of Photoshop, which I use often...how do I get P.S. up and going again?

    Niel...
    I installed Leopard 10.5.6 and then it upgraded to 10.5.8, when I installed it I had the old info saved to a "previous systems" folder, where most of my artwork, etc. were saved, I have a one terabyte Lacie backup that unfortunately did not work as it was intended...it saved the new info and not the old. I did look into the system preferences folder and found the classic file, of course it wouldn't launch...but I have the old G 5 startup discs and will try to do it as you stated. I will try also to move it out of the previous folders file to my hard drive and see how that works.
    thank you for your time and help,
    Dennis

  • I wanted to know how does technical support work via icloud and is there any new technology out that helps providing technical support

    i wanted to know how does technical support work via icloud and is there any new technology out that helps providing technical support?

    basically I’m doing a project were I wanted to find out if there are recent technology  out that provides technical support for example they do it with remote access but is they any new ways that  they can support us and just wanted to find out if icloud gives technical support then how?

  • List of creative sound cards that support 5.1 ,older and new

    Title says it all as I'm looking to purchase(new or used) creative 5. sound card. I'm unsure as to what older models support 5.,it's for a friend and I want to make sure he gets the right one.Li've,Audigy or other?I don't need one with all the bells and whistles just one that supports 5.. Thanks.

    I'm afraid 11b is affected.
    I have a D-Link DSL 604+ router, which is 11b only.
    Wireless is very slow, I noticed it right away. I get the sawtooth readout in activity monitor's network section.
    Also, after putting the iMac to sleep it cannot find my wifi network upon waking. I have to restart the system before it'll connect to my wifi network again.

  • Where can I find a docking station that supports the new 7th generation Nano?

    Where can I find a docking station that supports the new 7th generation Nano?

    I am not sure if there is a lightning docking station. But you can buy a lightning-to-30-pin adapter for typical docking station.

  • I have a newer MacBook Pro and I am trying to download my Final Cut Pro 7 Studio 2 on it. Is that possible or does the new MacBook Pro not support anything other than Final Cut Pro X?

    I have a newer MacBook Pro and I am trying to download my Final Cut Pro 7 Studio 2 on it. Is that possible or does the new MacBook Pro not support anything other than Final Cut Pro X?

    As Tom said the FCS forum is the better place to post the question.
    Here is Apple's best practices doc for installing both on the same system.
    BTW, FCP7 is part of the FCS 3 suite of apps.
    Russ

  • How will the Time Capsule support IPv6 and coop with the new emerging security threats that will emerge due to the new technical possibilities that IPv6 provide?

    How will the Time Capsule support IPv6 and coop with the new emerging security threats that will emerge due to the new technical possibilities that IPv6 provide?

    Cross your fingers and hope.
    Obviously if there is any big or known threat Apple will send out a firmware fix.
    But the TC is designed to be end user simple device. It has no firewall that is visible at any rate. I don't know that it truly doesn't have a firewall but it is not part of the end user controls.
    IMO if you have major security concerns that go beyond end device firewall, which is where Apple do put most of the security, since firewall in the router is plainly not a stop to anybody deliberately downloading an infected file or website, and most end users.. do not want a firewall that prevents them using the web like a business does, where only certain ports are allowed. Everything else tough luck.. you are not allowed to use it. Then TC is unsuitable for you anyway.. buy a proper firewall appliance.

  • Hi ,i buy a new lcd screen for my laptop, and when technician turn it on 2 white spots, appears, he say that the base that support the lcd screen its the responsable of white spot its true ?

    Hi ,i buy a new lcd screen for my laptop, and when technician turn it on 2 white spots, appears, he say that the base that support the lcd screen its the responsable of white spot its true ?

    If you've had it for less than a year, then it's still under warranty.  Take it to an Apple store or an authorized service facility.  See http://support.apple.com/kb/HT1434

Maybe you are looking for

  • IStore - B2B users registration by iStore administrator

    How can a iStore/CRM HTML administrator register new customer user/administrator? We are now in R12. In 11.5.9, via CRM HTML responsibility, we had to do the following steps in order to setup a new user account: 1/ Find the organziation and create th

  • Ipod shows an Empty Folder!

    When i try to turn my ipod on for music, i keep getting this folder image, with an exclamation mark. so i am unable to access any music or anything else besides that picture. i keep trying to restart teh ipod, but i keep getting the same results. Als

  • Add fields in Locator result  for Sales Document in GUI (anyone?)

    Dear all, I try to find information on how we can customize the locator's result column (especially for Sales document) in GUI mode. I know we can Change Layout to choose other available field column to be displayed in the locator result. How to add

  • Scroll graphic files

    I am working on a product catalog, I would like to scroll the graphics files, vertically and there is more than one images in a row. I know how to scroll text using scrollbar UI COmponent, but does not know regarding how to scroll graphic files. If a

  • Screen flashing on error, despite being disabled

    I have the setting under universal access to disable the screen flash on error, yes it's still doing it everytime an error occurs (i.e. a "beep" should be audible if searching a webpage for a word that doesn't exist.) Anyone else having this issue?