Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 5


Summary: Thomas Rayner, Microsoft Cloud & Datacenter Management MVP, shows how to modify the registry for SHA-256 as a part of migrating a Windows certification authority from CSP to KSP and from SHA-1 to SHA-256.

Hello! I’m Thomas Rayner, a proud Cloud & Datacenter Management Microsoft MVP, filling in for The Scripting Guy this week. You can find me on Twitter (@MrThomasRayner) or on my blog, Working Sysadmin: Figuring stuff out at work.

I recently had the chance to work with Microsoft PFE, Mike MacGillivray, on an upgrade of some Windows certification authorities, and I want to share some information about it with you. This script has only been tested on Windows Server 2012 and later.

  Note   This is a five-part series that includes the following posts:

Today I’m wrapping up the series by migrating to SHA-256.

SHA-1 is being deprecated, let’s get on to SHA-256

It feels like we’re coming full circle. You probably started this journey because you needed to migrate from SHA-1 to SHA-256, and you found that is kind of hard if you’re using a CSP instead of KSP. Now that we took most of the week to get you on a KSP, let’s finish the job and get you on to SHA-256, too.

I’m going to create a couple of registry files. Check out the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\registry location

Expand the name of your certification authority (CA), and you’ll see the two keys I’m going to adjust. The first is the CSP key, the other is the EncryptionCSP key.

I’m not going to go through every line of every change for both keys, but what you need to know is that we’re changing references from SHA-1 to SHA-256 and references of your old CSP to KSP. I’m throwing this operation into a Try/Catch block in case something goes awry, and logging all this activity.

try

{

    $CSPreg = @"

    Windows Registry Editor Version 5.00

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\$CAName\CSP]

    "CNGHashAlgorithm"="SHA256"

    "CNGPublicKeyAlgorithm"="RSA"

    "HashAlgorithm"=dword:ffffffff

    "MachineKeyset"=dword:00000001

    "Provider"="Microsoft Software Key Storage Provider"

    "ProviderType"=dword:00000000

"@

    $CSPreg | Out-File -FilePath "$Drivename\$Foldername\csp.reg"

    Add-LogEntry $Logpath 'Created csp.reg'

    $Encryptionreg = @"

    Windows Registry Editor Version 5.00

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\$CAName\EncryptionCSP]

    "CNGEncryptionAlgorithm"="3DES"

    "CNGPublicKeyAlgorithm"="RSA"

    "EncryptionAlgorithm"=dword:6603

    "MachineKeyset"=dword:00000001

    "Provider"="Microsoft Software Key Storage Provider"

    "ProviderType"=dword:00000000

    "SymmetricKeySize"=dword:000000a8

"@

    $Encryptionreg | Out-File -FilePath "$Drivename\$Foldername\encryption.reg"

    Add-LogEntry $Logpath 'Created encryption.reg'

}

catch [Exception]

{

    Add-LogEntry $Logpath "*** Activity failed - Exception Message: $($_.Exception.Message)"

    Exit-PSHostProcess

}

Now it’s time for a bit of fun. The next thing I’m going to do is change your ErrorActionPrefence variable to SilentlyContinue. You may be saying, “Thomas, won’t that ignore errors? I don’t want to ignore errors, do I?”

You’d be right…mostly. For the next couple lines, we do want to ignore the errors that are going to arise. All you’re doing is importing the two registry files that were created earlier.

$ErrorActionPreference = 'SilentlyContinue'

cmd.exe /c "reg import $("$Drivename\$Foldername\encryption.reg")"

Add-LogEntry $Logpath 'Imported encryption.reg'

cmd.exe /c "reg import $("$Drivename\$Foldername\csp.reg")"

Add-LogEntry $Logpath 'Imported csp.reg'

Here’s what happens if you don’t change your ErrorActionPreference variable. Remember in Part 1, we changed it to Stop.

Image of error message

What the heck? We got an error message that says, “The operation completed successfully.” If I check out the registry, the changes were successfully applied. Ignoring this issue by changing ErrorActionPreference is a work around, but it will do for now.

Now I need to start the certificate service again:

Start-Service -Name 'certsvc'

Add-LogEntry $Logpath 'Started certsvc'

The very first thing I did was change the ErrorActionPreference variable to Stop, so now it’s fitting that I’m going to change it back to its previous value. I told you we were coming full circle today.

$ErrorActionPreference = $OldEAP

That’s it! Together, we’ve upgraded your Windows certification authority from a CSP to a KSP and from SHA-1 to SHA-256.

If you are interested in downloading the full script, you can find it on my blog: Upgrade Windows Certification Authority from CSP to KSP and from SHA-1 to SHA-256. Thank you very much for joining me on this scripting adventure this week. I hope you got as much value from reading these posts as I did from writing them.

~Thomas

Thank you, Thomas, for an excellent five-part series. It is great!

Join me tomorrow for more way cool Windows PowerShell stuff.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. Also check out my Microsoft Operations Management Suite Blog. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

Comments (0)

Skip to main content