What makes a CA capable of issuing certificates that uses SHA-2?

This is the million dollars question:) We are talking about Microsoft Certification Authority Servers here.

  • The short answer is that this depends on the Cryptographic Provider that CA is using. And since each Windows version ships with specific set of providers, you may need to upgrade your CA to a newer version of Windows in order to support SHA-2.
  • Even if you are using a cryptographic provider that supports SHA-2, you need to instruct the CA to use SHA-2 for future signing requests.

Check these posts to help you get more familiar about this topic:

View your CA capabilities 

In the below figure, there is a standalone root CA server installed on Windows 2008 R2 using default installation options. If you open the Certification Authority console, and you check the CA properties, you can see in the general tab two interesting things:

  1. You can see the CA Certificate(s), and if you view the certificate, go to Details tab, and then see the (Signature hash algorithm) field, you can see what is the hash function used to sign the CA certificate itself, in this case SHA1.
  2. You can see the Cryptographic settings (Marked in yellow in the figure below), that shows two interesting information
    • Cryptographic Provider: Microsoft Software Key Storage Provider
    • Hash Algorithm: SHA1 – This is the hash function used to sign the CA CRL, and to sign certificate requests submitted to this CA.

In summary, the CA certificate  uses SHA-1, and whenever it signs a request or CRL, it will use SHA-1 also.

matrix101

Is my CA capable of issuing SHA-2 Certificates?

Check your CSP

First of all, check your CA Cryptographic Provider as shown in the above picture. The CA cryptographic provider determines whether your CA supports SHA-2 or not.

If your CA is using one of these Cryptographic providers, then you are using the new CNG KSP (Key Storage Providers) that definitely supports SHA-2.

If your CA is using one of these Cryptographic providers, then you are using legacy CryptoAPI provider, and you have to check if it supports SHA-2 or not.

Else, if you are using third party provider, you have to check with the supplier.

Configure your CA to use SHA-2

If for example you are using CNG KSP provider, then you can configure your CA to issue SHA-2 certificates by running this command

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

You may need to stop and start your CA services. This means that the CA will use SHA-2 to sign the following

  • Any CRL it produces.
  • Any issued Certificate.
  • The CA certificate when renewed.

Renew your CA certificate to use SHA-2

What about the CA Certificate itself? Since the CA is now configured to use SHA-2 for all signing operations, if you renew your CA certificate, it will be signed with SHA-2. I will redirect you to this blog post for steps to renew your CA certificate and verify it is using SHA-2.

TechNet Resources

https://technet.microsoft.com/en-us/library/dn771627.aspx

12 comments on “What makes a CA capable of issuing certificates that uses SHA-2?

  1. Pingback: SHA-1 Broken, Migrating to SHA-2 | Ammar Hasayen - Blog

  2. Pingback: PKI Certificate Services SHA-1 Deprecation | Ammar Hasayen - Blog

  3. Excellent article, one question: Configuring the CA to use SHA-2 for signing doesn’t affect certificates that have already been issued?

  4. Hello!
    I have try to change the algorithm of my CA.
    Using certutil to change the values of reg was successful.

    After renew root CA algorithm are still SHA-1.
    Windows Server 2012 R2.
    Do you already had such a problem?

  5. Hi. Went from Win2k8 to Win2k12r2 on both my root and issuing cert servers with no issues using your article. Thank You. The signature algorithm and signature hash algorithm are now sha256.

    I did notice though that the thumbprint algorithm still says sha1. Did I miss a step? When I go to the certsrv web site, I only see sha1 as the Hash Algorithm. Do I need to update my templates?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s