What does it mean when the ROOT certificate authority tell you that a SHA256 root authority might be less compatible than a SHA1 root?

We just ordered a new cert from an external trusted authority and were presented with a choice. We could get a SHA256 cert issued from a chain where the root CA certificate was SHA1 or one from a SHA256 root CA. The text under the SHA1 root option said that we should choose this for greater compatibility.

Well we went for the SHA256 root because who wants a legacy root CA a?

Just to let you know what the incompatibility might be, because at the time we could not think of why we might have issues.

The problem is that the SHA256 root CA is relatively new. Not everyone will trust the Root CA as the trusted root stores are not always automatically updated.

Not really compatibility then just some people are not actively updating the trusted root CA stores.

FYI there are a number of ways of doing this here’s a links on it you might find useful.

http://netsekure.org/2011/04/automatic-ca-root-certificate-updates-on-windows/

We went for just delivering the one cert by GPO rather than updating the trusted roots as we needed to do it quickly to support this new cert and we plan to test the best route for keeping them up to date going forward. Our workstations are fine as they have an internet connection but most servers are blocked for obvious reasons.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.