A common question in the field is about upgrading a certification authority running on Windows Server 2003 to use Crypto Next Generation (CNG) to support SHA256. CNG was introduced in Windows Server 2008 and higher operating systems, as a result,an upgrade to the operating system is required. After upgrading the certification authority’s operating system, you will need to runthe following commands from an elevated command line window:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net stop certsvc
net start certsvc
Make sure you are using a Key Storage Provider that supports SHA256 – for example the Microsoft Key Storage Provider - and then renewing the certification authority’s certificate.
If this proves to be too complicated, then you can simply issue certificates to clients using SHA256 even if the entire certification authority’s chain is signed with SHA1 certificates. The applications consuming the SHA256 certificates have to support the SHA256 signature on any given certificate in the chain.
Senior Premier Field Engineer
take care of Windows XP machines, if they still existing in the environment and don't have KB968730 then every time autoenroll triggers a certificate request and issued from CA end but not appears in Store.
Should this settings also be included in the CApolicy.inf on the Offline Root CA and the Issuing CA as a base config ?
When changing the CNGHashAlgorithm to SHA256, should the CApolicy.inf also include AlternateSignatureAlgorithm = 1 (Wrongly described as DiscreteSignatureAlgorithm in the 2008 PKI book).
Thanks a lot.
I'm trying to renew a Root CA, what was issued with the "Microsoft Strong Cryptographic Provider" 10 years ago.
While everyone talks about upgrading the Signing Algorithm, I cannot find any articles or information pertaining on how to upgrade from the "Microsoft Strong Cryptographic Provider" to the "Microsoft Software Key Storage Provider" which supports SHA2 (SAH256,SHA512).
Thanks for any pointer.
The only way you can do so is by installing a new CA
Thanks a lot Amer.
After trying to fix this issue for a few hours, I realized that all the 10 years old PKI (created on Windows Server 2003) that might be going into renewal that are based on "Microsoft Strong Cryptographic Provider" CSP will have issues in the next 3 years.
The recent announcement that Microsoft will deprecate SHA1 signatures on January 2017, these Root CA will be impacted by these changes. This is big for all Root CA that are suppose to last 20 years (2003-2023 using SHA1 hashing).
At the end of my renewal process of my current Root CA (#0 RSA 2048/SHA1 => 2003-2013, #1 RSA 4096/SHA1 => 2013-2023). I decided to create a new Root CA in parallel with the Microsoft Software Key Storage Provider CSP (RSA4096/SHA512).
People should not renew their current Root CA if they have been created with the "Microsoft Strong Cryptographic Provider" CSP, but rather migrate to a new Root CA that is using a CNG CSP like the "Microsoft Software Key Storage Provider".
Erik Bussink, CISSP
When using SHA256RSA signatures, the Certificate Enrollment for Encryption Certificate with Enrollment Agent and using Enroll on Behalf of fails if Key Recovery is used, the error is during certificate retrieval:An unexpected key archival hash attribute was foundAny idea where to Search for the problem?Thanks
Just published on TechNet: Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP) - and optionally, migrating from SHA-1 to SHA-2.
In this case, where change the hash algorithm of an existing CA, will all pre-existing issued certificates need to be re-issued or will they still work as is? Also, do you delete/remove the old root certificates? And do clients who have the root certificate
installed need to install the new one or would they be ok with the old one?
does this article also work for 2008 (not R2) CAs ?
This article did work for my 2008 (non R2) CA. No issues.
Worked great on 2012 R2.