Highlighted
Absent Member.
Absent Member.
605 views

Moving to "External" AD Certificate Services CA...

Is anyone using AD Certificate Services CA for ZCM?

With the SHA-1 deprecation and because we need to change our internal CA we're considering moving to our AD CS CA, which has recently been updated to use the SHA256 algorithm.

It looks a bit simpler with the new ZCM 11.4 Configuration->Certificates tab...
I guess one of the main issues will be timing, as we have a large number of remote users, connecting infrequently. However all machines are in the AD and hence have the CA cert...

As regards using the AD CS CA has anyone got any neat tricks for handling the CSR's, etc.? With over 30 satellites dealing with the certificate request handling/import looks like a possible pain...

I was thinking of making a specific AD CS template for ZCM and increasing the validity period (e.g. to 5 years, equiv to CA)
Is there anyway of utilising auto enrolment? All our primary and satellites are domain members...

Any suggestions and experiences to share?

Many thanks

David
Labels (2)
0 Likes
2 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Moving to "External" AD Certificate Services CA...

I would still recommend sticking Internal.....Generally makes life easier.

SHA-1 is good on the MS Site until at least 2020..............

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
Update: For code signing certificates, Windows 7 and later versions will stop accepting code signed with SHA-1 certificates without timestamps that were made prior to January 1, 2016. This enforcement will be performed only in user mode using the framework that Windows has for blocking weak cryptographic algorithms. Code signed with SHA-1 certificates that are time stamped before 1 January, 2016 will be accepted until 14 January 2020 (when Server 2008 extended support ends),
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Moving to "External" AD Certificate Services CA...

OK.. noted (but sceptical! 😉

But has anyone actually done this? We'll be running through our lab soon and would appreciate to hear from anyone that has actually implemented an AD CS CA based solution

Cheers
David
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.