What makes a CA capable of issuing certificates that uses SHA-2?

This is the million dollars question:) We are talking about Microsoft Certification Authority Servers here.

  • The short answer is that this depends on the Cryptographic Provider that CA is using. And since each Windows version ships with specific set of providers, you may need to upgrade your CA to a newer version of Windows in order to support SHA-2.
  • Even if you are using a cryptographic provider that supports SHA-2, you need to instruct the CA to use SHA-2 for future signing requests.

Check these posts to help you get more familiar about this topic:

Moving to a new blog

I am moving to a new blog format, please follow this link to continue reading 🙂

https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/

14 comments on “What makes a CA capable of issuing certificates that uses SHA-2?

  1. Pingback: SHA-1 Broken, Migrating to SHA-2 | Ammar Hasayen - Blog

  2. Pingback: PKI Certificate Services SHA-1 Deprecation | Ammar Hasayen - Blog

  3. Excellent article, one question: Configuring the CA to use SHA-2 for signing doesn’t affect certificates that have already been issued?

  4. Hello!
    I have try to change the algorithm of my CA.
    Using certutil to change the values of reg was successful.

    After renew root CA algorithm are still SHA-1.
    Windows Server 2012 R2.
    Do you already had such a problem?

  5. Hi. Went from Win2k8 to Win2k12r2 on both my root and issuing cert servers with no issues using your article. Thank You. The signature algorithm and signature hash algorithm are now sha256.

    I did notice though that the thumbprint algorithm still says sha1. Did I miss a step? When I go to the certsrv web site, I only see sha1 as the Hash Algorithm. Do I need to update my templates?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s