locked
The SHA-2 announcement and ADCS upgrades RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    On November 12, 2013, Microsoft announced that it's deprecating the use of the SHA-1 algorithm in SSL and code signing certificates.

    We have 1 offline Root CA, and 1 online issuing Enterprise subordinate CA.

    I assume we need to upgrade both CA's to support SHA-2, by simply running the following command on each CA server:

    certutil -setreg ca\csp\CNGHashAlgorithm SHA256

    Thanks,

    SK

    Thursday, August 13, 2015 11:22 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    On Thu, 13 Aug 2015 23:22:37 +0000, Shim Kwan wrote:

    On November 12, 2013, Microsoft announced that it's deprecating the use of the SHA-1 algorithm in SSL and code signing certificates.

    Keep in mind that currently this only applies to certificates that are
    issued by CAs that chain to public roots in the Microsoft Trusted Roots
    program.

    Having said that, it is a good idea to start planning this move for
    internal PKIs as well as some browsers (FireFox for example) are blocking
    SHA1 certificates already.


    We have 1 offline Root CA, and 1 online issuing Enterprise subordinate CA.



    I assume we need to upgrade both CA's to support SHA-2, by simply running the following command on each CA server:

    certutil -setreg ca\csp\CNGHashAlgorithm SHA256

    That depends on whether or not your current CAs are using a CSP or a KSP.
    If the former then you'll first need to convert the keys to use a KSP:

    https://technet.microsoft.com/en-us/library/dn771627.aspx?f=255&MSPPError=-2147217396

    Also, you just can't blindly assume that all relying parties will accept
    SHA2 signed certificates. You'll need to spend time testing operating
    systems, network devices, and apps to ensure that they all support SHA2.

    Paul Adare - FIM CM MVP

    • Proposed as answer by Vadims PodansMVP Friday, August 14, 2015 6:25 AM
    • Marked as answer by Shim Kwan Wednesday, August 19, 2015 4:53 AM
    Friday, August 14, 2015 2:42 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    On Thu, 13 Aug 2015 23:22:37 +0000, Shim Kwan wrote:

    On November 12, 2013, Microsoft announced that it's deprecating the use of the SHA-1 algorithm in SSL and code signing certificates.

    Keep in mind that currently this only applies to certificates that are
    issued by CAs that chain to public roots in the Microsoft Trusted Roots
    program.

    Having said that, it is a good idea to start planning this move for
    internal PKIs as well as some browsers (FireFox for example) are blocking
    SHA1 certificates already.


    We have 1 offline Root CA, and 1 online issuing Enterprise subordinate CA.



    I assume we need to upgrade both CA's to support SHA-2, by simply running the following command on each CA server:

    certutil -setreg ca\csp\CNGHashAlgorithm SHA256

    That depends on whether or not your current CAs are using a CSP or a KSP.
    If the former then you'll first need to convert the keys to use a KSP:

    https://technet.microsoft.com/en-us/library/dn771627.aspx?f=255&MSPPError=-2147217396

    Also, you just can't blindly assume that all relying parties will accept
    SHA2 signed certificates. You'll need to spend time testing operating
    systems, network devices, and apps to ensure that they all support SHA2.

    Paul Adare - FIM CM MVP

    • Proposed as answer by Vadims PodansMVP Friday, August 14, 2015 6:25 AM
    • Marked as answer by Shim Kwan Wednesday, August 19, 2015 4:53 AM
    Friday, August 14, 2015 2:42 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks Paul, so if we were to summarize the high level steps:

    1. Verify apps, OS's, devices, etc support SHA2
    2. Verify, and if required convert from CSP to KSP on all CA servers
    3. Convert all CA servers to SHA2 (by running certutil -setreg ca\csp\CNGHashAlgorithm SHA256)

    Cheers


    • Edited by Shim Kwan Friday, August 14, 2015 4:24 AM
    Friday, August 14, 2015 4:23 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    also, what all the existing certificates already issued by the 2 CAs...will these need to be renewed at the same time?
    Friday, August 14, 2015 4:52 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    On Fri, 14 Aug 2015 04:23:49 +0000, Shim Kwan wrote:

    1. Verify apps, OS's, devices, etc support SHA2
    2. Verify, and if required convert from CSP to KSP on all CA servers

    3. Convert all CA servers to SHA2 (by running certutil -setreg    ca\csp\CNGHashAlgorithm SHA256)

    Essentially yes.

    Paul Adare - FIM CM MVP

    Friday, August 14, 2015 5:13 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    On Fri, 14 Aug 2015 04:52:30 +0000, Shim Kwan wrote:

    also, what all the existing certificates already issued by the 2 CAs...will these need to be renewed at the same time?

    No, they are still signed by a valid CA certificate. As long as SHA1 is
    accepted, those certs will continue to work.

    Paul Adare - FIM CM MVP

    Friday, August 14, 2015 5:14 AM