Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

Upgrade Certification Authority to SHA256

Upgrade Certification Authority to SHA256

  • Comments 21
  • Likes

A common question in the field is about upgrading a certification authority running on Windows Server 2003 to use Crypto Next Generation (CNG) to support SHA256. CNG was introduced in Windows Server 2008 and higher operating systems, as a result,
an upgrade to the operating system is required. After upgrading the certification authority’s operating system, you will need to run
the following commands from an elevated command line window:


certutil -setreg ca\csp\CNGHashAlgorithm SHA256

net stop certsvc

net start certsvc

Make sure you are  using a Key Storage Provider that supports SHA256 – for example the Microsoft Key Storage Provider - and then renewing the certification authority’s certificate.


If this proves to be too complicated, then you can simply issue certificates to clients using SHA256 even if the entire certification authority’s chain is signed with SHA1 certificates. The applications consuming the SHA256 certificates have to support the SHA256 signature on any given certificate in the chain.

Amer Kamal

Senior Premier Field Engineer


  • take care of Windows XP machines, if they still existing in the environment and don't have KB968730 then every time autoenroll triggers a certificate request and issued from CA end but not appears in Store.

  • Should this settings also be included in the CApolicy.inf on the Offline Root CA and the Issuing CA as a base config ?

  • When changing the CNGHashAlgorithm to SHA256, should the CApolicy.inf also include AlternateSignatureAlgorithm = 1 (Wrongly described as  DiscreteSignatureAlgorithm in the 2008 PKI book).

    Thanks a lot.

  • I'm trying to renew a Root CA, what was issued with the "Microsoft Strong Cryptographic Provider" 10 years ago.

    While everyone talks about upgrading the Signing Algorithm, I cannot find any articles or information pertaining on how to upgrade from the "Microsoft Strong Cryptographic Provider" to the "Microsoft Software Key Storage Provider" which supports SHA2 (SAH256,SHA512).

    Thanks for any pointer.

  • Hi Erik,

    The only way you can do so is by installing a new CA

  • Thanks a lot Amer.

    After trying to fix this issue for a few hours, I realized that all the 10 years old PKI (created on Windows Server 2003) that might be going into renewal that are based on "Microsoft Strong Cryptographic Provider" CSP will have issues in the next 3 years.

    The recent announcement that Microsoft will deprecate SHA1 signatures on January 2017, these Root CA will be impacted by these changes. This is big for all Root CA that are suppose to last 20 years (2003-2023 using SHA1 hashing).

    At the end of my renewal process of my current Root CA (#0 RSA 2048/SHA1 => 2003-2013, #1 RSA 4096/SHA1 => 2013-2023). I decided to create a new Root CA in parallel with the Microsoft Software Key Storage Provider CSP (RSA4096/SHA512).

    People should not renew their current Root CA if they have been created with the "Microsoft Strong Cryptographic Provider" CSP, but rather migrate to a new Root CA that is using a CNG CSP like the "Microsoft Software Key Storage Provider".


    Erik Bussink, CISSP

  • When using SHA256RSA signatures, the Certificate Enrollment for Encryption Certificate with Enrollment Agent and using Enroll on Behalf of fails if Key Recovery is used, the error is during certificate retrieval:
    An unexpected key archival hash attribute was found

    Any idea where to Search for the problem?


  • Just published on TechNet: Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP) - and optionally, migrating from SHA-1 to SHA-2.

  • In this case, where change the hash algorithm of an existing CA, will all pre-existing issued certificates need to be re-issued or will they still work as is? Also, do you delete/remove the old root certificates? And do clients who have the root certificate installed need to install the new one or would they be ok with the old one?

  • does this article also work for 2008 (not R2) CAs ?

  • This article did work for my 2008 (non R2) CA. No issues.

  • Worked great on 2012 R2.

  • what happens to the already issued client certificate after the CA or SubCA certificate is upgraded to SHA2?

  • More details:

    I have a RootCA and a SubCA - root is offline and SubCA has issue many client certs over the years. I am planning the following:

    1. Root CA to be started on the VM cluster -
    2. Backup cert repository on both root and sub CAs

    certutil -backup \\share\cabackup
    certutil -backup \\share\subcabackup

    3. Change signing to algorithm to SHA2 only on SubCA

    certutil -setreg ca\csp\CNGHashAlgorithm SHA256

    net stop certsvc

    net start certsvc

    4. Try issuing a client certificate from any server or online portal
    5. If the certificate is SHA2, this is considered completed
    6. If not update the issuing cert of the SubCA to SHA2 (just renew with the same key) and test existing certs, issue new certs

    Before I do this, I need assurance of some sort, anyone done this yet? what happens to the old certs with SHA1.

  • I was inspired by all the answers and replies here, along with different discussions to came up with my own white paper describing the process

    There are many sides to the SHA-2 upgrade story. You can do side by side different Root CA migration, or you can upgrade your existing CA servers.

    There is a white paper describing each approach and how it will affect your applications:

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment