My question has to do with moving away from our old PKI environment and onto a new PKI environment I am designing.
A little background...So due to the fact that our existing PKI environment was not installed using most best practices and it only supports SHA1, I am designing a new PKI environment based on Windows Server 2012 R2. The intention is to implement many of the best practices Brian Komar talks about in his book and support SHA256. When I am done I will have two PKI hierarchies...the old SHA1 hierarchy and the new SHA256 hierarchy. I can easily move Forest members over to using new certificates, but my concern is around internal Java applications.
Assuming the Java application owners do not have a good way of distributing the new CA certificates to their client's Trusted certificates store (I apologize for my lack of knowledge around Java), is there a way I can bridge the two PKI hierarchies? I have been experimenting with Cross CA certificates and Qualified Subordination, but that really seems like overkill for my situation. These two PKI environments are within the same organization. Is there a simpler way to essentially sign the SHA256 root CA certificate with the SHA1 root CA, so that if the Java clients see a new SSL certificate, for example, issued from the new SHA256 CA's they will have the ability to construct the chain of trust to the old SHA1 root CA? This would just be a temporary solution to give us time to get the new CA certificates out there to the Java clients.
Thank you.