MicrosoftThis is a great article. I have a related question though...
Is it possible to have a CA with the ability to use either SHA-2 or SHA-3 for signing certificates? Or is it a case where you can only pick one or the other? From what I have read, it is possible to have the CA support multiple algorithms, but I have no idea how you would choose to use one or the other in that scenario.
I also considered perhaps upping the algorithm on the Root CA to SHA-384, and then deploying a subordinate CA that issues SHA-2 certificates. My understanding is that as long as the root CA has the stronger algorithm, this would work. Is that true? If I did this, could I then submit CSRs to the root CA if I wanted them signed with SHA-384 and submit CSRs to the subordinate CA if I want them signed with SHA-2?
Or do I have this all wrong?
Reference links:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786428(v=ws.11)
https://social.technet.microsoft.com/Forums/en-US/1359fc45-daf6-4ea0-ae61-53bf72d7130d/sha-3-with-microsoft-ca?forum=winserversecurity
