locked
Windows 2008r2 CA RRS feed

  • Question

  • We currently are running the Enterprise CA on 2008r2 and it is issuing certs as SHA256 but the CA itself is still SHA1.  Is there a way to make the CA SHA256.  Our root CA was upgraded from 2003 to 2008 but the issuing CA is a new build on 2008r2.  I was thinking that we only need to update the signature but not sure.  Any help would be appreciated.
    Thanks,
    Lori

    Lori Gilleland

    Wednesday, April 17, 2013 6:26 PM

Answers

  • You can do the following:

    1.  Check to see what hash algorithm is currently used: certutil -getreg ca\csp\CNGHashAlgorithm - if this returns SHA256, skip to step 4.

    2.  By default the above should return SHA1.  Run this: certutil -setreg ca\csp\CNGHashAltorithm SHA256 - This will configure the CA to use SHA256 for CNG hashes.

    3.  Restart Certificate Services: net stop CertSvc && net start CertSvc

    4.  Re-issue a new Root CA certificate: certutil -renewCert ReuseKeys

    5.  Restart Certificate Services: net stop CertSvc && net start CertSvc

    This will generate a new Root CA certificate using SHA256 as a signature algorithm and generate the appropriate cross certificates.  You can then push the new certificate to clients.  Note that CNG certs are not compatible with every platform. http://technet.microsoft.com/en-us/library/cc730763(v=ws.10).aspx

    • Proposed as answer by 朱鸿文 Thursday, April 18, 2013 1:51 AM
    • Marked as answer by 朱鸿文 Wednesday, April 24, 2013 4:06 AM
    Wednesday, April 17, 2013 8:45 PM

All replies

  • You can do the following:

    1.  Check to see what hash algorithm is currently used: certutil -getreg ca\csp\CNGHashAlgorithm - if this returns SHA256, skip to step 4.

    2.  By default the above should return SHA1.  Run this: certutil -setreg ca\csp\CNGHashAltorithm SHA256 - This will configure the CA to use SHA256 for CNG hashes.

    3.  Restart Certificate Services: net stop CertSvc && net start CertSvc

    4.  Re-issue a new Root CA certificate: certutil -renewCert ReuseKeys

    5.  Restart Certificate Services: net stop CertSvc && net start CertSvc

    This will generate a new Root CA certificate using SHA256 as a signature algorithm and generate the appropriate cross certificates.  You can then push the new certificate to clients.  Note that CNG certs are not compatible with every platform. http://technet.microsoft.com/en-us/library/cc730763(v=ws.10).aspx

    • Proposed as answer by 朱鸿文 Thursday, April 18, 2013 1:51 AM
    • Marked as answer by 朱鸿文 Wednesday, April 24, 2013 4:06 AM
    Wednesday, April 17, 2013 8:45 PM


  • Hi,

    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

    Best Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

           
    Wednesday, April 24, 2013 4:06 AM
  • A Small change in above solution  in step 2,[CNGHashAlgorithm instead of CNGHashAltorithm]

    2.  By default the above should return SHA1.  Run this: certutil -setreg ca\csp\CNGHashAlgorithm SHA256 - This will configure the CA to use SHA256 for CNG hashes.

    for more details http://dotnetstock.com/technical/how-to-generate-a-sha256-certificate-and-how-to-install-sha256-certificate-in-iis


    • Edited by victory_star Wednesday, October 23, 2013 9:08 AM
    Monday, July 22, 2013 6:10 AM
  • This thread is quite old but still valid, and as I followed all the steps, the renewed CA cert shows still SHA-1 with the Microsoft Strong Crypthografics Provider and on the cert itself. The Standalone-CA is running on Windows Server 2008 R2 SP1

    Saturday, September 6, 2014 2:08 PM
  • This thread is quite old but still valid, and as I followed all the steps, the renewed CA cert shows still SHA-1 with the Microsoft Strong Crypthografics Provider and on the cert itself. The Standalone-CA is running on Windows Server 2008 R2 SP1


    This only works if the CA is already using a KSP and not a CSP. Your CA is using a CSP so it won't work. You'll need to rebuild.
    Sunday, September 7, 2014 11:53 AM
  • This thread is quite old but still valid, and as I followed all the steps, the renewed CA cert shows still SHA-1 with the Microsoft Strong Crypthografics Provider and on the cert itself. The Standalone-CA is running on Windows Server 2008 R2 SP1


    This only works if the CA is already using a KSP and not a CSP. Your CA is using a CSP so it won't work. You'll need to rebuild.

    OK, thanks for you response. That is what I thought, but now found that you can migrate. So rebuild not needed.

    http://technet.microsoft.com/en-us/library/dn771627.aspx

    • Proposed as answer by TKHB Sunday, September 7, 2014 11:56 AM
    Sunday, September 7, 2014 11:56 AM