Cannot Issue Certificate Signed with SHA256
I am trying to issue a SHA256-signed certificate but am unable to do so. I've tried creating templates that use SHA256 but the resulting certificates always revert to SHA1. I have an offline Windows 2008 Root CA with a child Enterprise CA running on Windows 2008 Enterprise integrated into our Active Directory. I believe the Root CA and Enteprise CA were both setup using SHA1-signed certificates. Does this mean that these CAs are limited to issuing SHA1-signed certificates? If no, what am I doing wrong in generating a SHA256 certificate? If yes, are there any recommended workarounds short of recreating a new CA infrastructure. Thanks in advance for your assistance. I recently "inherited" administration of our Enterprise CA and am still getting up to speed. Eric
May 14th, 2010 9:00pm

Hi, This depends on what CSP you have installed. If SHA256 is supported you can change the hash algorithm with following command certutil -setreg ca\csp\CNGHashAlgorithm SHA256 You need to restart certificate services in order for the changes to be applied. Beware, once you have changed hash algorithm it will be used in all certificates that are issued after the change.
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2010 9:12am

Yes, you should re-sign your CA certificates as SHA256 for your root & sub CA. You may also need to enable CNG on the CAs as part of that process. Typically you would update your capolicy.inf file (if you have one) in the %systemroot% directory (e.g. c:\windows). If you do not use an .inf file, then you would need to update the registry prior to renewing. In the .inf file, update with the following: [certsrv_server] DiscreteSignatureAlgorithm=1 HashAlgorithm=RSASHA256 You can re-sign your CA certs with 'certutil -renewcert reusekeys' Note that you need to use this with caution as not all older client OS will recognize CNG algorithms, or may require patching to recognize them. If everything is Vista/2008 and newer you're fine, anything older may sure you test (okay you should test any major change anyways..)
May 18th, 2010 12:58am

Hi, For more information, you can refer to the following articles: CryptoAPI Cryptographic Service Providers http://msdn.microsoft.com/en-us/library/bb931357(v=VS.85).aspx CNG Features http://msdn.microsoft.com/en-us/library/bb204775(VS.85).aspx Hope it helps. This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2010 5:48am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics