[Today’s post comes from the Configuration Manager Writing Team]
The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the latest content has Updated: August 1, 2009 at the top of the topic.
We have only a handful of topics that have been updated this month to correct a couple of broken links and a minor editing clarification. The main change that I want to draw your attention to is the addition of a single but very important sentence in Certificate Requirements for Native Mode, which is the following for each of the native mode certificates: SHA-1 is the only supported hash algorithm
When you install the Active Directory Certificate Services role on Windows Server 2008, the Configure Cryptography for CA page of the Add Roles Wizard allows you to change the default hash algorithm of sha1 for other algorithms, such as those from the SHA2 family, including the stronger algorithms of SHA-256 and SHA-512. Only SHA-1 has been tested for native mode communication in Configuration Manager 2007, and there are no plans to extend this support in the near future. Therefore, all native mode certificates must be issued by a CA that uses SHA-1.
Disclaimer: The procedures in this blog post are external to Configuration Manager, so you will not find this information in the Configuration Manager product documentation. However, we realize that PKI is often new to Configuration Manager admins, and aim to share our knowledge and experience to help you be more successful with the product.
How can you tell whether your certificates are using SHA-1 or another algorithm? Check the properties of the issued certificate, by using the Certificates MMC. In the Details tab, check the value of the Signature algorithm – it should say sha1RSA. And on the issuing CA, check the properties of the CA, General Tab – it should display Hash algorithm: sha1 under the Cryptographic settings section.
From customer feedback on the forums (and verified with our own testing), we know that when the site server signing certificate is signed with an algorithm that is higher than SHA-1, the MPControl.log file on the management point displays CryptVerifyCertificateSignatureEx returned error 0xc000a000 instead of the expected CryptVerifyCertificateSignatureEx returned error 0x80090006.
If you have installed Active Directory Certificate Services with a hash algorithm other than SHA-1, you can reconfigure it to use SHA-1 by using the following procedure:
- From a command prompt on the server running the CA, type the following: Certutil -setreg ca\csp\CngHashAlgorithm SHA1
- Stop and restart Certificate Services.
- If necessary, request and issue new certificates.
This posting is provided “AS IS” with no warranties and confers no rights.