none
Change signature algorithm - possible?

    Soru

  • Hi,

    I have Certification Authority on Windows 2008 R2 with signature algorithm SHA1. Is possible to sign certificate by this CA with other signature algorithm - e.g. with MD5? Just only for this one certificate?

    regards
    e-micra

    01 Mart 2012 Perşembe 11:39

Yanıtlar

  • yes, it is possible, but it is not recommanded, and probably even not supported. Yes, you can change the CA's signature algorithm, the one that the CA uses to sign its issued certificates after installation (sure, you cannot change the algorithm with which the CA's own certificate is signed). This can be done in registry, in HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\...\CSP. There is the CNGHashAlgorithm (or HashAlgorithm) value, that contains the current signature algorithm. If you change it to something else and restart the CA service, from that point on, CA will be signing with the new algo. The problem is it cannot do it just for a single certificate or template. It is CA-wide setting.

    Also please understand, that clients always validate the whole certificate chain - which not only means the leaf certificate (which would be signed with your MD5), but the clients also check signatures of all the certification authorities in the chain (in your case it would be your SHA1 CA). Why would you change the leaf signature at all?

    ondrej.

    • Yanıt Olarak Öneren Vadims PodansMVP 05 Mart 2012 Pazartesi 06:28
    • Yanıt Olarak İşaretleyen e-micra 07 Mart 2012 Çarşamba 08:02
    04 Mart 2012 Pazar 14:47

Tüm Yanıtlar

  • It should be impossible. why you want to do that?
    02 Mart 2012 Cuma 17:41
  • yes, it is possible, but it is not recommanded, and probably even not supported. Yes, you can change the CA's signature algorithm, the one that the CA uses to sign its issued certificates after installation (sure, you cannot change the algorithm with which the CA's own certificate is signed). This can be done in registry, in HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\...\CSP. There is the CNGHashAlgorithm (or HashAlgorithm) value, that contains the current signature algorithm. If you change it to something else and restart the CA service, from that point on, CA will be signing with the new algo. The problem is it cannot do it just for a single certificate or template. It is CA-wide setting.

    Also please understand, that clients always validate the whole certificate chain - which not only means the leaf certificate (which would be signed with your MD5), but the clients also check signatures of all the certification authorities in the chain (in your case it would be your SHA1 CA). Why would you change the leaf signature at all?

    ondrej.

    • Yanıt Olarak Öneren Vadims PodansMVP 05 Mart 2012 Pazartesi 06:28
    • Yanıt Olarak İşaretleyen e-micra 07 Mart 2012 Çarşamba 08:02
    04 Mart 2012 Pazar 14:47
  •  

    Hi e-micra,

    Is there any update? If you need further assistance, please let us know.

    Regards,

    Bruce

    07 Mart 2012 Çarşamba 02:21
  • Hi Bruce-Liu and Ondrej,

    thanks for reply from Ondrej - it's interesting information, but I supposed that it's possible only through unsupported strange change in registry.

    One of customers pressing me and says that it's possible, but to be absolutely sure that it's not supported or just impossible I've asked here.

    Thanks again,
    e-micra

    07 Mart 2012 Çarşamba 08:05