ENC uses certificates to authenticate between clients.
The encryption version of the certificates HAVE to match for the clients to be able to talk to each other.
All version before R14sp1 used SHA1 with 1024 bit key as the default encryption for ENC certificates.
R14sp1 uses SHA2 with 2048 bit key as the Default encryption for ENC certificates.
R14sp1 can run without any problems using SHA1 1024 encryption key, so I would leave at that until R14sp2 comes out.
If you want R14sp1 ENC clients to be able to talk to Previous version ENC clients you will need to create and import SHA1 1048 bit certs.
To figure out what version of cert you are using
Either Double-Click on the cert.der
or Open MMC > Add/Remove Snap-In > Certificates > Computer Account > Personal > Certificates
Go to the Details Tab and look at the following Lines:
Signature hash algorithm - This is the SHA version, for example: sha1
Public key - This is the bit strength, for example: RSA(1024 Bits)
If you have already created the certs, then you will need to delete the certs with the WRONG configuration.
Either go into the Windows certstore or use the following command:
certutil -delstore My <cert_name>
Then you will need to create and Import the new script:
cacertutil create -o:"%cd%\%computername%.p12" -op:<password> -s:cn=%computername% -d:-1 -i:"%cd%\root.p12" -ip:<password> -od:"%cd%\%computername%.der" -k:1024 -xsan:%computername%.ca.com -ac -as -ae -dt:SHA1
The 2 new additional parameters that need to be added are:
The next release of CA Client Automation(R14sp2) is suppose to allow the ENC Gateway(MSR) server to be able
to support multiple certs, which allow the customer to install SHA2 2048 certs and SHA1 1024 certs
on the ENC Gateway Server(MSR), and then they can slowly move all the clients to the new certification method.