Monday, 9 Nov, 2015 sha512 If you are in the process of deploying a new CA, and you are thinking of issuing Certs that use SHA512 Hashes, think again! (From https://support.microsoft.com/en-us/kb/2973337):"If you currently use SHA512 certificates, and do not have this update installed, you may have problems in one or more of the following scenarios by using TLS 1.2: Internet Protocol security (IPsec) stand-alone IPSec with DirectAccess Microsoft Lync Server 2013 Remote Desktop Services (RDP) SSL websites SSL based VPN Web applications" (From https://support.microsoft.com/en-us/kb/2973337). The affected products/features list is "quality vs quantity" (re-read it!) and lots of super-important components will break (including Windows Updates under certain conditions!). Don't misunderstand me - Computers' security is important, 'though, at times, it is imperative that things "just work". Lessons learned. If you seek wider compatibility over stronger security (while provisioning a new CA), then you should consider SHA (or SHA256 given SHA will be decommissioned starting from 2017) and RSA 2048 (or 4094) bits. If you still seek greater security, then I recommend you to consider SHA256 (or SHA384 if you must), perhaps with Elliptic Curves instead of RSA ('though that will open another possible "can of shiny new eels"!). 2/5 - (2 votes) Andrea MatesiSenior Professional Network and Computer Systems Engineer during work hours and father when home. Andrea strives to deliver outstanding customer service and heaps of love towards his family. In this Ad-sponsored space, Andrea shares his quest for "ultimate" IT knowledge, meticulously brought to you in an easy to read format. Share this:LinkedIn Related