Upgrade Certification Authority to SHA256

First published on TECHNET on Sep 19, 2013

A common question in the field is about upgrading a certification authority running on 2003 to use Crypto Next Generation (CNG) to support SHA256. CNG was introduced in 2008 and higher operating systems, as a result,
an upgrade to the operating system is required. After upgrading the certification authority's operating system, you will need to run
the following commands from an elevated command line window:

certutil -setreg cacspCNGHashAlgorithm SHA256

net stop certsvc

net start certsvc

Make sure you are  using a Key Provider that supports SHA256 – for example the Microsoft Key Provider – and then renewing the certification authority's .

If this proves to be too complicated, then you can simply issue certificates to clients using SHA256 even if the entire certification authority's chain is signed with SHA1 certificates. The applications consuming the SHA256 certificates have to support the SHA256 signature on any given in the chain.

Amer Kamal

Senior Premier Field Engineer


This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.