Upgrade Certification Authority to SHA256

  • Article

A common question in the field is about upgrading a certification authority running on Windows Server 2003 to use Crypto Next Generation (CNG) to support SHA256. CNG was introduced in Windows Server 2008 and higher operating systems, as a result,
an upgrade to the operating system is required. After upgrading the certification authority’s operating system, you will need to run
the following commands from an elevated command line window:

 

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

net stop certsvc

net start certsvc

Make sure you are  using a Key Storage Provider that supports SHA256 – for example the Microsoft Key Storage Provider - and then renewing the certification authority’s certificate.

 

If this proves to be too complicated, then you can simply issue certificates to clients using SHA256 even if the entire certification authority’s chain is signed with SHA1 certificates. The applications consuming the SHA256 certificates have to support the SHA256 signature on any given certificate in the chain.

Amer Kamal

Senior Premier Field Engineer

Comments

  • Anonymous
    January 01, 2003
    take care of Windows XP machines, if they still existing in the environment and don't have KB968730 then every time autoenroll triggers a certificate request and issued from CA end but not appears in Store.

    • Anonymous
      November 25, 2016
      Think its fair to say if you have XP running in 2016 then certificates are probably the least of your worries. Integrating and working with legacy Windows 7 gives me enough issues!

  • Anonymous
    January 01, 2003
    Just published on TechNet: Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP) - and optionally, migrating from SHA-1 to SHA-2.

    http://technet.microsoft.com/en-us/library/dn771627.aspx

  • Anonymous
    January 01, 2003
    The comment has been removed

    • Anonymous
      August 29, 2017
      Hi,to get the whole picture I recommend this whitepaper to you:https://gallery.technet.microsoft.com/Migrating-SHA-1-to-SHA-2-82ee3a4eHint: Please also take into consideration that the hashing algorithm for creating the signature of the CRL changes to SHA2 if you configure your CA to use SHA2 for creating the signature of issued certsRegarding OS level requirements for the CSP->KSP migration please check this:https://technet.microsoft.com/en-us/library/dn771627(v=ws.11).aspxBest regards,Steven

  • Anonymous
    November 06, 2013
    Should this settings also be included in the CApolicy.inf on the Offline Root CA and the Issuing CA as a base config ?

  • Anonymous
    November 06, 2013
    When changing the CNGHashAlgorithm to SHA256, should the CApolicy.inf also include AlternateSignatureAlgorithm = 1 (Wrongly described as  DiscreteSignatureAlgorithm in the 2008 PKI book). Thanks a lot.

    • Anonymous
      November 06, 2017
      If you are running a Lync/Skype environment, do not set alternatesignaturealgorithm to 1. it will cause incompatibility issues with it.Leave it at 0.

  • Anonymous
    November 28, 2013
    I'm trying to renew a Root CA, what was issued with the "Microsoft Strong Cryptographic Provider" 10 years ago. While everyone talks about upgrading the Signing Algorithm, I cannot find any articles or information pertaining on how to upgrade from the "Microsoft Strong Cryptographic Provider" to the "Microsoft Software Key Storage Provider" which supports SHA2 (SAH256,SHA512). Thanks for any pointer.

  • Anonymous
    December 05, 2013
    Hi Erik, The only way you can do so is by installing a new CA

  • Anonymous
    December 06, 2013
    Thanks a lot Amer. After trying to fix this issue for a few hours, I realized that all the 10 years old PKI (created on Windows Server 2003) that might be going into renewal that are based on "Microsoft Strong Cryptographic Provider" CSP will have issues in the next 3 years. The recent announcement that Microsoft will deprecate SHA1 signatures on January 2017, these Root CA will be impacted by these changes. This is big for all Root CA that are suppose to last 20 years (2003-2023 using SHA1 hashing). At the end of my renewal process of my current Root CA (#0 RSA 2048/SHA1 => 2003-2013, #1 RSA 4096/SHA1 => 2013-2023). I decided to create a new Root CA in parallel with the Microsoft Software Key Storage Provider CSP (RSA4096/SHA512). People should not renew their current Root CA if they have been created with the "Microsoft Strong Cryptographic Provider" CSP, but rather migrate to a new Root CA that is using a CNG CSP like the "Microsoft Software Key Storage Provider". Regards, Erik Bussink, CISSP

  • Anonymous
    April 10, 2014
    The comment has been removed

  • Anonymous
    October 06, 2014
    does this article also work for 2008 (not R2) CAs ?

    http://technet.microsoft.com/en-us/library/dn771627.aspx

  • Anonymous
    October 13, 2014
    This article did work for my 2008 (non R2) CA. No issues.

  • Anonymous
    December 19, 2014
    Worked great on 2012 R2.

  • Anonymous
    February 03, 2015
    what happens to the already issued client certificate after the CA or SubCA certificate is upgraded to SHA2?

  • Anonymous
    February 03, 2015
    More details:

    I have a RootCA and a SubCA - root is offline and SubCA has issue many client certs over the years. I am planning the following:

    1. Root CA to be started on the VM cluster -
    2. Backup cert repository on both root and sub CAs

    certutil -backup \sharecabackup
    certutil -backup \sharesubcabackup


    3. Change signing to algorithm to SHA2 only on SubCA

    certutil -setreg cacspCNGHashAlgorithm SHA256

    net stop certsvc

    net start certsvc


    4. Try issuing a client certificate from any server or online portal
    5. If the certificate is SHA2, this is considered completed
    6. If not update the issuing cert of the SubCA to SHA2 (just renew with the same key) and test existing certs, issue new certs


    Before I do this, I need assurance of some sort, anyone done this yet? what happens to the old certs with SHA1.

  • Anonymous
    February 04, 2015
    I was inspired by all the answers and replies here, along with different discussions to came up with my own white paper describing the process

    There are many sides to the SHA-2 upgrade story. You can do side by side different Root CA migration, or you can upgrade your existing CA servers.

    There is a white paper describing each approach and how it will affect your applications:

    http://ammarhasayen.com/2015/02/04/what-makes-a-ca-capable-of-issuing-certificates-that-uses-sha-2/

  • Anonymous
    February 10, 2015
    Just completed the upgrade for our PKI. All old certs work fine and the chain remains intact. Ensure that SUBCA or issuing CA cert keep the old keys and if there are no AD clients they need the new SHA2 cert loaded

    • Anonymous
      October 20, 2016
      Raj, did you only change the signing algorithm of the SubCA to 256 and issued certs or did you also renew the SubCA cert after changing the signing algorithm to 256?

  • Anonymous
    April 29, 2015
    Thanks raj for the feedback I will proceed the same way

  • Anonymous
    July 30, 2015
    My CA is on Windows 2008 R2 using MS Software KSP with SHA1. When running the "certutil -setreg cacspCNGHashAlgorithm SHA256" to upgrade from SHA1 to SHA256, what happens to the already issued client certificate after the CA or SubCA certificate is upgraded to SHA2?

  • Anonymous
    August 19, 2015
    I have the same situation as Anna. Will I need to re-issue new SHA-2 certs to replace all existing SHA-1 certs or does the CA upgrade the rest in the chain?

  • Anonymous
    September 30, 2015
    Hi, I'm having an issue regarding removing expired certificates from MS PKI from a websphere application and I want to upgrade the certificates from a keystore (there are 3 certificates that I want to add and remove all the unnecessary certificates, some guidance would be much appreciated.

  • Anonymous
    October 02, 2015
    Thank you. This got me to where I wanted to be!

  • Anonymous
    February 19, 2017
    If you ran all the commands, and it still didn't work - this is why:If you run the certutil -setreg ca\csp\CNGHashAlgorithm SHA256 using CMD - you will get a "successful" message.however - it is not.you must run CMD as administrator. took me a while to figure this out, at first i failed to understand why it shows as successful but the Registry itself does not change.

    • Anonymous
      February 23, 2017
      Correct, and make sure the case SHA256 is used and not sha256 or any variation as this will cause your CA services to fail to start.