01 Mart 2012 Perşembe 11:39
I have Certification Authority on Windows 2008 R2 with signature algorithm SHA1. Is possible to sign certificate by this CA with other signature algorithm - e.g. with MD5? Just only for this one certificate?
02 Mart 2012 Cuma 17:41It should be impossible. why you want to do that?
04 Mart 2012 Pazar 14:47
yes, it is possible, but it is not recommanded, and probably even not supported. Yes, you can change the CA's signature algorithm, the one that the CA uses to sign its issued certificates after installation (sure, you cannot change the algorithm with which the CA's own certificate is signed). This can be done in registry, in HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\...\CSP. There is the CNGHashAlgorithm (or HashAlgorithm) value, that contains the current signature algorithm. If you change it to something else and restart the CA service, from that point on, CA will be signing with the new algo. The problem is it cannot do it just for a single certificate or template. It is CA-wide setting.
Also please understand, that clients always validate the whole certificate chain - which not only means the leaf certificate (which would be signed with your MD5), but the clients also check signatures of all the certification authorities in the chain (in your case it would be your SHA1 CA). Why would you change the leaf signature at all?
07 Mart 2012 Çarşamba 02:21Moderatör
Is there any update? If you need further assistance, please let us know.
07 Mart 2012 Çarşamba 08:05
Hi Bruce-Liu and Ondrej,
thanks for reply from Ondrej - it's interesting information, but I supposed that it's possible only through unsupported strange change in registry.
One of customers pressing me and says that it's possible, but to be absolutely sure that it's not supported or just impossible I've asked here.