A common question in the field is about upgrading a certification authority running on Windows Server 2003 to use Crypto Next Generation (CNG) to support SHA256. CNG was introduced in Windows Server 2008 and higher operating systems, as a result,
an upgrade to the operating system is required. After upgrading the certification authority’s operating system, you will need to run
the following commands from an elevated command line window:
certutil -setreg cacspCNGHashAlgorithm SHA256
net stop certsvc
net start certsvc
Make sure you are using a Key Storage Provider that supports SHA256 – for example the Microsoft Key Storage Provider – and then renewing the certification authority’s certificate.
If this proves to be too complicated, then you can simply issue certificates to clients using SHA256 even if the entire certification authority’s chain is signed with SHA1 certificates. The applications consuming the SHA256 certificates have to support the SHA256 signature on any given certificate in the chain.
Senior Premier Field Engineer
© Microsoft. This article was originally published by Microsoft’s Core Infrastructure and Security Blog. You can find the original article here.