none
Change signature algorithm - possible?

คำตอบ

  • yes, it is possible, but it is not recommanded, and probably even not supported. Yes, you can change the CA's signature algorithm, the one that the CA uses to sign its issued certificates after installation (sure, you cannot change the algorithm with which the CA's own certificate is signed). This can be done in registry, in HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\...\CSP. There is the CNGHashAlgorithm (or HashAlgorithm) value, that contains the current signature algorithm. If you change it to something else and restart the CA service, from that point on, CA will be signing with the new algo. The problem is it cannot do it just for a single certificate or template. It is CA-wide setting.

    Also please understand, that clients always validate the whole certificate chain - which not only means the leaf certificate (which would be signed with your MD5), but the clients also check signatures of all the certification authorities in the chain (in your case it would be your SHA1 CA). Why would you change the leaf signature at all?

    ondrej.

    • เสนอเป็นคำตอบโดย Vadims PodansMVP 5 มีนาคม 2555 6:28
    • ทำเครื่องหมายเป็นคำตอบโดย e-micra 7 มีนาคม 2555 8:02
    4 มีนาคม 2555 14:47

ตอบทั้งหมด

  • It should be impossible. why you want to do that?
    2 มีนาคม 2555 17:41
  • yes, it is possible, but it is not recommanded, and probably even not supported. Yes, you can change the CA's signature algorithm, the one that the CA uses to sign its issued certificates after installation (sure, you cannot change the algorithm with which the CA's own certificate is signed). This can be done in registry, in HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\...\CSP. There is the CNGHashAlgorithm (or HashAlgorithm) value, that contains the current signature algorithm. If you change it to something else and restart the CA service, from that point on, CA will be signing with the new algo. The problem is it cannot do it just for a single certificate or template. It is CA-wide setting.

    Also please understand, that clients always validate the whole certificate chain - which not only means the leaf certificate (which would be signed with your MD5), but the clients also check signatures of all the certification authorities in the chain (in your case it would be your SHA1 CA). Why would you change the leaf signature at all?

    ondrej.

    • เสนอเป็นคำตอบโดย Vadims PodansMVP 5 มีนาคม 2555 6:28
    • ทำเครื่องหมายเป็นคำตอบโดย e-micra 7 มีนาคม 2555 8:02
    4 มีนาคม 2555 14:47
  •  

    Hi e-micra,

    Is there any update? If you need further assistance, please let us know.

    Regards,

    Bruce

    7 มีนาคม 2555 2:21
  • Hi Bruce-Liu and Ondrej,

    thanks for reply from Ondrej - it's interesting information, but I supposed that it's possible only through unsupported strange change in registry.

    One of customers pressing me and says that it's possible, but to be absolutely sure that it's not supported or just impossible I've asked here.

    Thanks again,
    e-micra

    7 มีนาคม 2555 8:05