PKI Certificate

bizcntradmin 191 Reputation points
2020-09-12T13:36:39.89+00:00

We have a 2 tier PKI and a algo hash is SHA256 i have an appliance that requires SHA384 as minimum hashing algorithm, is it posible to generate a SHA384 cert in our current PKI environment

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,774 questions
0 comments
Accepted answer
  1. Fan Fan 15,321 Reputation points Microsoft Vendor
    2020-09-14T06:41:35.733+00:00

    Hi,

    The hash was determined by the selection when install the CAs as following:
    24325-9146.jpg
    Based on my research, it can be configured to generate a SHA384 cert, but it will not only effect one cert, it will effect all the certs and CRLs the issue CA issues.

    The hash chosen on the root CA determines how the Subordinate CA's certificate is signed;
    During the Subordinate CA install, the hash algorithm you select under the Select the hash algorithm for signing certificates used by this CA determines how the certificates and CRLs issued by the Subordinate CA are signed.

    It can be changed by the registry CNGEncryptionAlgorithm .
    To use the certutil.exe command to set these values, use the following syntax:
    certutil -setreg ca\csp\CNGHashAlgorithm <Hash Algorithm>
    For example:
    certutil -setreg ca\csp\CNGHashAlgorithm SHA384

    Note: As with all changes , make sure you backup the settings before changing, and test thoroughly after the change.
    For your reference:
    https://social.technet.microsoft.com/wiki/contents/articles/31296.implementing-sha-2-in-active-directory-certificate-services.aspx

    Best Regards,

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest