• If you are in the process of deploying a new CA, and you are thinking of issuing Certs that use SHA512 Hashes, think again!

(From"If you currently use SHA512 certificates, and do not have this update installed, you may have problems in one or more of the following scenarios by using TLS 1.2:

  • Internet Protocol security (IPsec) stand-alone
  • IPSec with DirectAccess
  • Microsoft Lync Server 2013
  • Remote Desktop Services (RDP)
  • SSL websites
  • SSL based VPN
  • Web applications"


The affected products/features list is "quality vs quantity" (re-read it!) and lots of super-important components will break (including Windows Updates under certain conditions!).

Don't misunderstand me - Computers' security is important, 'though, at times, it is imperative that things "just work".


Lessons learned.

If you seek wider compatibility over stronger security (while provisioning a new CA), then you should consider SHA (or SHA256 given SHA will be decommissioned starting from 2017) and RSA 2048 (or 4094) bits.

If you still seek greater security, then I recommend you to consider SHA256 (or SHA384 if you must), perhaps with Elliptic Curves instead of RSA ('though that will open another possible "can of shiny new eels"!).

Senior Professional Network and Computer Systems Engineer during work hours and father when home.

Andrea strives to deliver outstanding customer service and heaps of love towards his family.

In this Ad-sponsored space, Andrea shares his quest for "ultimate" IT knowledge, meticulously brought to you in an easy to read format.

Thinking of SHA512 for your PKI? Think again.
Rate this post

Ask me anything