hello
I have two tiered PKI structure. one offline standard root ca. And two enterprise issuing subordinate ca. all of them are running Microsoft Software key Storage Provider with 256 hash algorithm. Also any new certs issued by my issuing ca also has hash256. But my root ca and intermediate subordinate certs are on sha1 so even though actual web server cert has hash256 . I get an error on chrome that I am running sha1. If I renew root and my subordinate CA cert will the error go away?
also I understand enterprise sub ca will send the new intermediate root cert automatically to all computers in domain. but how do I push the offline root ca cert to all computers in domain. also when I issue a new cert, will that have the new intermediate cert and root cert in chain? what would be the best solution to address this
thanks