I have everything up and running fine and have been contemplating going to sha2. Sent email out asking others if sha2 is not an option. From my other post and reading on here I know how to change over but still have some questions as now it seems we need to stand up a new system and their minimum required is sha2.
1 If I change the root to 4096 (since that seems the recommndation) and hash from sha1 to sha2, then issue new root and new issuing certs into AD etc- validate through pkiview, will existing sha1 certs continute to work? We currently as an example have sha1 certs used for the VM environment and some other stuff.
2 Would I need to leave in place the existing 20 year and 10 year certs that have sha1 and 2048 for everything to keep working until we're able to issue and install the sha2 certs or just revoke them after the new root and issuing is in place?
3 Ive seen a few posts where the recommendation was to stand up a parrallel sever. Does that mean I would create another root and another issuing so I have two separate environments one for sha1 and one for sha2?
4 If you have two separate environments like that how do you prevent clients from going to one or the other? Like you ONLY want to issue a sha1 if you need to to a specific thing, but everything else use the other for sha2.
My main concern is not with needing sha1. Everything I have looked at OS wise, application wise all support sha2. At least as far as I have determined. I really am trying to avert my concerns that moving to sha2 for this new system will cause the other things to stop working. Of course I hope I dont have to inquire about how to start issuing 1 again.
thx