none
Change signature algorithm - possible?

    Question

  • Hi,

    I have Certification Authority on Windows 2008 R2 with signature algorithm SHA1. Is possible to sign certificate by this CA with other signature algorithm - e.g. with MD5? Just only for this one certificate?

    regards
    e-micra

    Thursday, March 01, 2012 11:39 AM

Answers

  • yes, it is possible, but it is not recommanded, and probably even not supported. Yes, you can change the CA's signature algorithm, the one that the CA uses to sign its issued certificates after installation (sure, you cannot change the algorithm with which the CA's own certificate is signed). This can be done in registry, in HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\...\CSP. There is the CNGHashAlgorithm (or HashAlgorithm) value, that contains the current signature algorithm. If you change it to something else and restart the CA service, from that point on, CA will be signing with the new algo. The problem is it cannot do it just for a single certificate or template. It is CA-wide setting.

    Also please understand, that clients always validate the whole certificate chain - which not only means the leaf certificate (which would be signed with your MD5), but the clients also check signatures of all the certification authorities in the chain (in your case it would be your SHA1 CA). Why would you change the leaf signature at all?

    ondrej.

    • Proposed as answer by Vadims PodansMVP Monday, March 05, 2012 6:28 AM
    • Marked as answer by e-micra Wednesday, March 07, 2012 8:02 AM
    Sunday, March 04, 2012 2:47 PM

All replies

  • It should be impossible. why you want to do that?
    Friday, March 02, 2012 5:41 PM
  • yes, it is possible, but it is not recommanded, and probably even not supported. Yes, you can change the CA's signature algorithm, the one that the CA uses to sign its issued certificates after installation (sure, you cannot change the algorithm with which the CA's own certificate is signed). This can be done in registry, in HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\...\CSP. There is the CNGHashAlgorithm (or HashAlgorithm) value, that contains the current signature algorithm. If you change it to something else and restart the CA service, from that point on, CA will be signing with the new algo. The problem is it cannot do it just for a single certificate or template. It is CA-wide setting.

    Also please understand, that clients always validate the whole certificate chain - which not only means the leaf certificate (which would be signed with your MD5), but the clients also check signatures of all the certification authorities in the chain (in your case it would be your SHA1 CA). Why would you change the leaf signature at all?

    ondrej.

    • Proposed as answer by Vadims PodansMVP Monday, March 05, 2012 6:28 AM
    • Marked as answer by e-micra Wednesday, March 07, 2012 8:02 AM
    Sunday, March 04, 2012 2:47 PM
  •  

    Hi e-micra,

    Is there any update? If you need further assistance, please let us know.

    Regards,

    Bruce

    Wednesday, March 07, 2012 2:21 AM
  • Hi Bruce-Liu and Ondrej,

    thanks for reply from Ondrej - it's interesting information, but I supposed that it's possible only through unsupported strange change in registry.

    One of customers pressing me and says that it's possible, but to be absolutely sure that it's not supported or just impossible I've asked here.

    Thanks again,
    e-micra

    Wednesday, March 07, 2012 8:05 AM