Upgrade Certification Authority to SHA256


A common question in the field is about upgrading a certification authority running on Windows Server 2003 to use Crypto Next Generation (CNG) to support SHA256. CNG was introduced in Windows Server 2008 and higher operating systems, as a result,
an upgrade to the operating system is required. After upgrading the certification authority’s operating system, you will need to run
the following commands from an elevated command line window:

 

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

net stop certsvc

net start certsvc

Make sure you are  using a Key Storage Provider that supports SHA256 – for example the Microsoft Key Storage Provider – and then renewing the certification authority’s certificate.

 

If this proves to be too complicated, then you can simply issue certificates to clients using SHA256 even if the entire certification authority’s chain is signed with SHA1 certificates. The applications consuming the SHA256 certificates have to support the SHA256 signature on any given certificate in the chain.

Amer Kamal

Senior Premier Field Engineer

 

Comments (21)

  1. Anonymous says:

    take care of Windows XP machines, if they still existing in the environment and don't have KB968730 then every time autoenroll triggers a certificate request and issued from CA end but not appears in Store.

  2. Carol Bailey says:

    Just published on TechNet: Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP) – and optionally, migrating from SHA-1 to SHA-2.

    http://technet.microsoft.com/en-us/library/dn771627.aspx

  3. Barkley Bees says:

    In this case, where change the hash algorithm of an existing CA, will all pre-existing issued certificates need to be re-issued or will they still work as is? Also, do you delete/remove the old root certificates? And do clients who have the root certificate
    installed need to install the new one or would they be ok with the old one?

  4. Erik Bussink says:

    Should this settings also be included in the CApolicy.inf on the Offline Root CA and the Issuing CA as a base config ?

  5. Erik Bussink says:

    When changing the CNGHashAlgorithm to SHA256, should the CApolicy.inf also include AlternateSignatureAlgorithm = 1 (Wrongly described as  DiscreteSignatureAlgorithm in the 2008 PKI book).

    Thanks a lot.

  6. Erik Bussink says:

    I'm trying to renew a Root CA, what was issued with the "Microsoft Strong Cryptographic Provider" 10 years ago.

    While everyone talks about upgrading the Signing Algorithm, I cannot find any articles or information pertaining on how to upgrade from the "Microsoft Strong Cryptographic Provider" to the "Microsoft Software Key Storage Provider" which supports SHA2 (SAH256,SHA512).

    Thanks for any pointer.

  7. Amerk [MSFT] says:

    Hi Erik,

    The only way you can do so is by installing a new CA

  8. ErikBussink says:

    Thanks a lot Amer.

    After trying to fix this issue for a few hours, I realized that all the 10 years old PKI (created on Windows Server 2003) that might be going into renewal that are based on "Microsoft Strong Cryptographic Provider" CSP will have issues in the next 3 years.

    The recent announcement that Microsoft will deprecate SHA1 signatures on January 2017, these Root CA will be impacted by these changes. This is big for all Root CA that are suppose to last 20 years (2003-2023 using SHA1 hashing).

    At the end of my renewal process of my current Root CA (#0 RSA 2048/SHA1 => 2003-2013, #1 RSA 4096/SHA1 => 2013-2023). I decided to create a new Root CA in parallel with the Microsoft Software Key Storage Provider CSP (RSA4096/SHA512).

    People should not renew their current Root CA if they have been created with the "Microsoft Strong Cryptographic Provider" CSP, but rather migrate to a new Root CA that is using a CNG CSP like the "Microsoft Software Key Storage Provider".

    Regards,

    Erik Bussink, CISSP

  9. Ratko says:

    When using SHA256RSA signatures, the Certificate Enrollment for Encryption Certificate with Enrollment Agent and using Enroll on Behalf of fails if Key Recovery is used, the error is during certificate retrieval:
    An unexpected key archival hash attribute was found

    Any idea where to Search for the problem?

    Thanks

  10. M.B.A says:

    does this article also work for 2008 (not R2) CAs ?

    http://technet.microsoft.com/en-us/library/dn771627.aspx

  11. 2008 CA Admin says:

    This article did work for my 2008 (non R2) CA. No issues.

  12. Alexander Batishchev says:

    Worked great on 2012 R2.

  13. Raj says:

    what happens to the already issued client certificate after the CA or SubCA certificate is upgraded to SHA2?

  14. Raj says:

    More details:

    I have a RootCA and a SubCA – root is offline and SubCA has issue many client certs over the years. I am planning the following:

    1. Root CA to be started on the VM cluster –
    2. Backup cert repository on both root and sub CAs

    certutil -backup \sharecabackup
    certutil -backup \sharesubcabackup

    3. Change signing to algorithm to SHA2 only on SubCA

    certutil -setreg cacspCNGHashAlgorithm SHA256

    net stop certsvc

    net start certsvc

    4. Try issuing a client certificate from any server or online portal
    5. If the certificate is SHA2, this is considered completed
    6. If not update the issuing cert of the SubCA to SHA2 (just renew with the same key) and test existing certs, issue new certs

    Before I do this, I need assurance of some sort, anyone done this yet? what happens to the old certs with SHA1.

  15. I was inspired by all the answers and replies here, along with different discussions to came up with my own white paper describing the process

    There are many sides to the SHA-2 upgrade story. You can do side by side different Root CA migration, or you can upgrade your existing CA servers.

    There is a white paper describing each approach and how it will affect your applications:

    http://ammarhasayen.com/2015/02/04/what-makes-a-ca-capable-of-issuing-certificates-that-uses-sha-2/

  16. Raj says:

    Just completed the upgrade for our PKI. All old certs work fine and the chain remains intact. Ensure that SUBCA or issuing CA cert keep the old keys and if there are no AD clients they need the new SHA2 cert loaded

  17. asanhaji says:

    Thanks raj for the feedback I will proceed the same way

  18. Garry Trinder says:

    My CA is on Windows 2008 R2 using MS Software KSP with SHA1. When running the "certutil -setreg cacspCNGHashAlgorithm SHA256" to upgrade from SHA1 to SHA256, what happens to the already issued client certificate after the CA or SubCA certificate is upgraded
    to SHA2?

  19. Rich says:

    I have the same situation as Anna. Will I need to re-issue new SHA-2 certs to replace all existing SHA-1 certs or does the CA upgrade the rest in the chain?

  20. Pranav says:

    Hi, I’m having an issue regarding removing expired certificates from MS PKI from a websphere application and I want to upgrade the certificates from a keystore (there are 3 certificates that I want to add and remove all the unnecessary certificates, some
    guidance would be much appreciated.

  21. robwmackinnon says:

    Thank you. This got me to where I wanted to be!