Upgrade Certification Authority to SHA256 from SHA1

I got many question regarding Upgrading Certificate Authority from SHA1 to SHA256. Here Let us see how to Upgrade Certification Authority to SHA256 from SHA1.This is all about changing the algorithm ,CNG was introduced in Windows Server 2008 and higher operating systems.So as a prerequisites we have to keep this in our mind.So if you are running on Windows Server 2003 then the upgrade might have required.After upgrading the certification authority’s operating system, you will need to run the following commands

  • certutil -setreg ca\csp\CNGHashAlgorithm SHA256

You may need to stop and start your CA services. This means that the CA will use SHA-2 to sign the following

Any CRL it produces.
Any issued Certificate.
The CA certificate when renewed.

  • net stop certsvc
  • net start certsvc

Make sure that you are using a Key Storage Provider that supports SHA256 – for example the Microsoft Key Storage Provider – and then renewing the certification authority’s certificate.
Also another option which you have is , you can simply issue certificates to clients using SHA256 even if the entire certification authority’s chain is signed with SHA1 certificates.But unfortunately Microsoft and other top leading Browsers has stooped the support for the SHA1 more info http://dotnetstock.com/iis/moving-sha-256-certificate-convert-sha1-sha256/ .The applications consuming the SHA256 certificates have to support the SHA256 signature on any given certificate in the chain.
People should not renew their current Root CA if they have been created with the “Microsoft Strong Cryptographic Provider” CSP, but rather migrate to a new Root CA that is using a CNG CSP like the “Microsoft Software Key Storage Provider”.

Ensure that SUB CA or issuing CA cert keep the old keys and if there are no AD clients they need the new SHA256 cert loaded.

Hope that help, if you find other way, fell free to comment…

Share and grow .


Leave a Reply

Your email address will not be published. Required fields are marked *