Hello All
Can someone kindly help me with the following few questions :)
I built and offline Windows 2012 R2 root CA and Online 2012 R2 Enterprise SUB issuing CA in a lab, all worked fine :)
But a few question arose and I would be grateful for some help please
I chose Sha256 as the hashing algorithm for both CAs.
When I look at the Sub CA cert (signed by the offline CA) I see the following
Signature Algorithm: Sha256RSA
Signature Hash Algorithm: Sha256
All looks normal to me so far, then when I look at the certificate thumbprint is says the thumbprint algorithm was Sha1
Now the way I see it is the thumbprint is a hash of the cert itself using what ever hashing algorithm (in this case it says Sha1). Now who generated the thumbprint as displayed in the certificate?
For example if it was the Root CA (which create the cert in the first instance by signing the CSR) this Root CA it is set to use Sha256 to hash the certificate and encrypt the hash with its private key thereby creating a signature stamp on the certificate. later on who ever will use the CA public key to descript the signature, get back the hash (Sha256), rehash the cert to check it gets then same result. If that is correct where does the Sha1 hash come into play or is this just for basic certificate file integrity checking, like using MD5 to hash a file in order to check it is not corrupt?
next question,
I created a WEB site, CSR and had the Sub CA process the CSR, so now the WEB site has a Cert issued but the Sub CA and the sites https works fine. However when I click on the padlock in the browser, it stats the usual traffic is encrypted etc. but is say this site was verified by the Root CA (e.g. the trust anchor at the top of the cert chain). Why does it not just say this site is verified by the Sub CA (after all the Sub CA singed the cert), the Sub CA and Root CA certs are in the relevant stores on the Windows client. Perhaps it always goes back to the trust root when stating who verifies this site?
next question (thanks)
Why do come of the fields when looking at the properties of a certificate have a "yellow triangle with an exclamation mark" in it. For example looking at the offline root CA or Sub CA cert 'basic constraints'
Thanks All
AAnotherUser__
AAnotherUser__