locked
Is it possible to change the hash algorithm when I renew the Root CA RRS feed

  • Question

  • My Root CA is installed on a Windows Server 2008. The Hash algorithm of Root CA in my environment is MD5. I would like to renew the Root CA and change the Hash algorithm to SHA1. Is it possible to change it?

    Regards, Terry | My Blog: http://terrytlslau.tls1.cc


    • Edited by Terry_Lau Tuesday, May 1, 2012 6:10 PM Update the content
    Tuesday, May 1, 2012 6:06 PM

Answers

  • Hi,

    The hashing algorithm chosen during the setup of a Certificate Authority determines how the certificates that the CA issues are digitally signed. It is a one algorithm per CA scenario, so if your environment requires multiple algorithms for compatibility, then you will need multiple PKI hierarchies (one for each algorithm.) Prior to Windows 2008, you had to rebuild the CA and decommision the entire PKI hierarchy to change the signing algorithm used. In Windows 2008 and 2008 R2, we allow you to change the algorithm and from that point forward it will digitally sign all new certificates with the updated algorithm.

    The Certificate Services Enhancements in Longhorn Server Whitepaper describing these steps can be found under the section Configuring the Cryptographic Algorithms used by the CA.

    Step 1: Verify the configuration of the CRL and AIA paths. Sometimes users will manually change these paths to not include the crl name suffix variable that distinguish multiple certificates on a CA. This is important because the process of changing the algorithm requires the renewal of the private key and results in administration of multiple CA certificates. When we publish multiple crt and crls, they will be identified as CAName and CAName(1.) You can verify these paths include the variables by checking the registry keys below:

    [HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CAname}

    CRLPublicationURLs = "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://FCCA01.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

    CACertPublicationURLs = "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://FCCA01.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

    Step 2: Modify the CSP parameters to specify the new algorithm. The CSP may use the original CryptoAPI or Cryptography API:Next Generation - you can verify this by looking in the registry key HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CAname}\CSP. If you have the regvalues CNGPublicKeyAlgorithm and CNGHashAlgorithm then your CSP is using Next Generation.

    Change the algorithm from MD5 to SHA1 and was using Cryptography API: Next Generation. The original registry value was:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\{CAname}\CSP]
    "ProviderType"=dword:00000000
    "Provider"="Microsoft Software Key Storage Provider"
    "HashAlgorithm"=dword:00008003
    "CNGPublicKeyAlgorithm"="RSA"
    "CNGHashAlgorithm"="MD5"
    "MachineKeyset"=dword:00000001

    we changed it to

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\{CAname}\CSP]
    "ProviderType"=dword:00000000
    "Provider"="Microsoft Software Key Storage Provider"
    "HashAlgorithm"=dword:00008004
    "CNGPublicKeyAlgorithm"="RSA"
    "CNGHashAlgorithm"="SHA1"
    "MachineKeyset"=dword:00000001

    Step 3: Restart the CA service. You can do this in the CA MMC. Right Click on the CA and choose "Stop Service" and "Start Service".

    Step 4: Renew the CA certificate with new Private Key. Right click on the CA and choose "Renew CA certificate". Choose to renew the public and private key pair. On completion, this will result in the CA having two certificates. You will see that the old one has the MD5 for the Signature Hash Algorithm and that the new certificate uses SHA1.

    Hope this helps!

    Best Regards

    Elytis Cheng

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Elytis Cheng

    TechNet Community Support


    • Edited by Elytis Cheng Wednesday, May 2, 2012 1:39 AM
    • Marked as answer by Terry_Lau Wednesday, May 2, 2012 6:48 AM
    Wednesday, May 2, 2012 1:37 AM

All replies

  • afaik, if you want to change CA certificate hash algorithm and/or CSP, you have to reinstall CA server (these values can be changed during CA service installation).

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Tuesday, May 1, 2012 7:42 PM
  • Hi,

    The hashing algorithm chosen during the setup of a Certificate Authority determines how the certificates that the CA issues are digitally signed. It is a one algorithm per CA scenario, so if your environment requires multiple algorithms for compatibility, then you will need multiple PKI hierarchies (one for each algorithm.) Prior to Windows 2008, you had to rebuild the CA and decommision the entire PKI hierarchy to change the signing algorithm used. In Windows 2008 and 2008 R2, we allow you to change the algorithm and from that point forward it will digitally sign all new certificates with the updated algorithm.

    The Certificate Services Enhancements in Longhorn Server Whitepaper describing these steps can be found under the section Configuring the Cryptographic Algorithms used by the CA.

    Step 1: Verify the configuration of the CRL and AIA paths. Sometimes users will manually change these paths to not include the crl name suffix variable that distinguish multiple certificates on a CA. This is important because the process of changing the algorithm requires the renewal of the private key and results in administration of multiple CA certificates. When we publish multiple crt and crls, they will be identified as CAName and CAName(1.) You can verify these paths include the variables by checking the registry keys below:

    [HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CAname}

    CRLPublicationURLs = "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://FCCA01.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

    CACertPublicationURLs = "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://FCCA01.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

    Step 2: Modify the CSP parameters to specify the new algorithm. The CSP may use the original CryptoAPI or Cryptography API:Next Generation - you can verify this by looking in the registry key HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CAname}\CSP. If you have the regvalues CNGPublicKeyAlgorithm and CNGHashAlgorithm then your CSP is using Next Generation.

    Change the algorithm from MD5 to SHA1 and was using Cryptography API: Next Generation. The original registry value was:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\{CAname}\CSP]
    "ProviderType"=dword:00000000
    "Provider"="Microsoft Software Key Storage Provider"
    "HashAlgorithm"=dword:00008003
    "CNGPublicKeyAlgorithm"="RSA"
    "CNGHashAlgorithm"="MD5"
    "MachineKeyset"=dword:00000001

    we changed it to

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\{CAname}\CSP]
    "ProviderType"=dword:00000000
    "Provider"="Microsoft Software Key Storage Provider"
    "HashAlgorithm"=dword:00008004
    "CNGPublicKeyAlgorithm"="RSA"
    "CNGHashAlgorithm"="SHA1"
    "MachineKeyset"=dword:00000001

    Step 3: Restart the CA service. You can do this in the CA MMC. Right Click on the CA and choose "Stop Service" and "Start Service".

    Step 4: Renew the CA certificate with new Private Key. Right click on the CA and choose "Renew CA certificate". Choose to renew the public and private key pair. On completion, this will result in the CA having two certificates. You will see that the old one has the MD5 for the Signature Hash Algorithm and that the new certificate uses SHA1.

    Hope this helps!

    Best Regards

    Elytis Cheng

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Elytis Cheng

    TechNet Community Support


    • Edited by Elytis Cheng Wednesday, May 2, 2012 1:39 AM
    • Marked as answer by Terry_Lau Wednesday, May 2, 2012 6:48 AM
    Wednesday, May 2, 2012 1:37 AM
  • Hello Elytis,

    Thanks for your reply. I will try this solution in the test environment.

    Regards, Terry | My Blog: http://terrytlslau.tls1.cc

    Wednesday, May 2, 2012 3:12 AM
  • Hi,

    Glad to hear that it make sense.

    Best Regards

    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    Wednesday, May 2, 2012 6:50 AM
  • Hi All,

    I have a CA Version 6.1 configured on Win Server 2008 R2 Enterprise.  I am able to generate SSL cert with SHA-1 signature but how do I configure it to generate SHA-2 signature algorithm certs.

    Do I need to build a new CA for SHA-2 ? I cant find a clear instruction any where to do this change  (SHA-1 to SHA-2)..

    Please help

    Wednesday, June 11, 2014 4:28 AM
  • SHA-1 is part of the legacy CAPI providers whereas SHA-2 is part of the Suite-B implementation provide with CNG. You can not change from CAPI to CNG. If you wish to begin issuing certificates signed with a SHA2 hash, you will need to deploy a new CA.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Wednesday, June 11, 2014 6:48 PM
  • Hi Mark,

    My current CA is installed of Win 2008 r2 enterprise ? do the OS support CNG ?

    Can we deploy the new CA on Win 2008 r2 enterprise or it should be on Windows 2012 ?

    Friday, June 13, 2014 8:27 AM
  • CNG was introduced with Windows Server 2008, so R2 does indeed support CNG. You can use anything that is 2008 or higher. If it was me, I would go with 2012 R2 since that is the latest. There are some enrollment issues to be aware of with CNG and older clients such as XP. Also, there is are some new enrollment issues with 2012 R2 CAs and XP clients (Requests failed due to the default (http://technet.microsoft.com/en-us/library/hh831373.aspx) see Increased Security Enabled By Default section

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Friday, June 13, 2014 3:56 PM