This is the million dollars question:) We are talking about Microsoft Certification Authority Servers here.
- The short answer is that this depends on the Cryptographic Provider that CA is using. And since each Windows version ships with specific set of providers, you may need to upgrade your CA to a newer version of Windows in order to support SHA-2.
- Even if you are using a cryptographic provider that supports SHA-2, you need to instruct the CA to use SHA-2 for future signing requests.
Check these posts to help you get more familiar about this topic:
- PKI Certificate Services SHA-1 Deprecation
- Cryptographic Providers: SHA-1 & SHA-2 support
- SHA-2 Support – Migrate your CA from CSP to KSP
View your CA capabilities
In the below figure, there is a standalone root CA server installed on Windows 2008 R2 using default installation options. If you open the Certification Authority console, and you check the CA properties, you can see in the general tab two interesting things:
- You can see the CA Certificate(s), and if you view the certificate, go to Details tab, and then see the (Signature hash algorithm) field, you can see what is the hash function used to sign the CA certificate itself, in this case SHA1.
- You can see the Cryptographic settings (Marked in yellow in the figure below), that shows two interesting information
- Cryptographic Provider: Microsoft Software Key Storage Provider
- Hash Algorithm: SHA1 – This is the hash function used to sign the CA CRL, and to sign certificate requests submitted to this CA.
In summary, the CA certificate uses SHA-1, and whenever it signs a request or CRL, it will use SHA-1 also.
Is my CA capable of issuing SHA-2 Certificates?
Check your CSP
First of all, check your CA Cryptographic Provider as shown in the above picture. The CA cryptographic provider determines whether your CA supports SHA-2 or not.
If your CA is using one of these Cryptographic providers, then you are using the new CNG KSP (Key Storage Providers) that definitely supports SHA-2.
If your CA is using one of these Cryptographic providers, then you are using legacy CryptoAPI provider, and you have to check if it supports SHA-2 or not.
Else, if you are using third party provider, you have to check with the supplier.
Configure your CA to use SHA-2
If for example you are using CNG KSP provider, then you can configure your CA to issue SHA-2 certificates by running this command
You may need to stop and start your CA services. This means that the CA will use SHA-2 to sign the following
- Any CRL it produces.
- Any issued Certificate.
- The CA certificate when renewed.
Renew your CA certificate to use SHA-2
What about the CA Certificate itself? Since the CA is now configured to use SHA-2 for all signing operations, if you renew your CA certificate, it will be signed with SHA-2. I will redirect you to this blog post for steps to renew your CA certificate and verify it is using SHA-2.