Hi All, I have a requirement to do a unilateral cross certification between a 2008 R2 Microsoft Enterprise CA with an Entrust CA (where the Entrust CA trusts my CA). I can get the process to work beautifully, however there is one niggle. When I create the cross-CA request the signature algorithm on the request is sha256RSA. This is a bit confusing as the CA is most definitely installed with the signature algorithm sha1RSA (using an nCipher KSP). This is a problem as the crypto policy defined by the partner organisation prohibits the use of sha2. I need some way to specify the request hash algorithm in my policy.inf file for the cross CA request, does anyone know how to do this? Let me know if you want to see the policy files used, certutil dumps of the req or registry dumps from the CA. Many Thanks Chris

it seems that your CA is configured to sign certificates with sha2rsa algorithm. To change this behavior run the following commands on your CA server: certutil -setreg ca\csp\CNGHashAlgorithm SHA1 net stop certsvc && net start certsvcMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims, Thanks for your answer but that is not my issue. Just to clarify, the CA is configured to sign certificates using SHA1 as set during installation. My problem is with the algorithm the CA is using to sign the actual CSR being used to generate the cross CA certificate with the partner organisation. It appears that because I'm using a KSP it is defaulting to using SHA2 as the request hash, regardless of the configuration set during installation. I need a configuration option similar to the one on the version 3 template where you can set the hash used for certificate requests. I can't do this however as I'm using policy.inf files to generate the request and not using templates due to the way the cross-CA request is generated for an Entrust CA. By way of example, here is the output of certutil -getreg ca\csp\CNGHashAlgorithm from my CA: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\PS CA\csp: CNGHashAlgorithm REG_SZ = SHA1 CertUtil: -getreg command completed successfully. And here is the output of certutil run against my generated CSR on the same box: PKCS10 Certificate Request: Version: 1 Subject: CN=X-CA Test Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN) Algorithm Parameters: 05 00 Public Key Length: 2048 bits Public Key: UnusedBits = 0 0000 30 82 01 0a 02 82 01 01 00 b8 ed bc 5e be 85 09 0010 b0 a6 ec f0 53 9f f6 24 90 b2 5d 46 ba fa 0a 41 0020 29 d7 55 b2 4d 6b 03 eb c5 2e d8 92 dc c3 eb 5e 0030 b0 f7 f7 d2 f6 48 b0 ca 8b 55 53 92 7a ea dd 2b 0040 86 78 e5 cd 96 c5 fb 0c 99 a6 31 64 dc e0 1e 56 0050 a2 4e e6 6d 49 0e 38 da f0 af ff 95 b5 8d 78 91 0060 10 d7 f5 aa 96 7a ef 87 3a 15 2d 96 f7 de ef 90 0070 d8 ba f4 be bf ec 8d cf d2 85 0b 9a 68 e2 4c 77 0080 dc 53 9f d6 b8 3f a2 a1 33 d8 81 02 97 7b 83 5a 0090 bd 20 fa 42 76 3b 43 cc 7e 2a 36 06 20 70 9f 9b 00a0 b3 22 2e cf 64 3c 1c c9 e6 d5 b6 1a 43 c7 07 29 00b0 fe 8f 70 38 ce 19 39 1d 78 2c 2b bc 98 94 9d ab 00c0 36 c5 d8 07 df 91 c1 ff 32 54 43 18 2a b7 44 46 00d0 79 5f c9 f6 5c e2 44 8a d0 8e 8b 1a 31 cd 0e b9 00e0 0b 4d fa 7b 4e 60 13 bf 2d a4 0c 41 15 6c ec 48 00f0 b0 ac 3a c3 9e 9d 3b 36 e6 a9 51 95 a3 d0 04 8f 0100 cf 86 69 65 79 21 06 64 e5 02 03 01 00 01 Request Attributes: 4 4 attributes: Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version) Value[0][0]: 6.1.7600.2 Attribute[1]: 1.2.840.113549.1.9.14 (Certificate Extensions) Value[1][0]: Unknown Attribute type Certificate Extensions: 1 2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier 1d 01 cb b9 ca 7a 0e 0d d6 51 28 b5 ba ca 34 4f 09 d1 1e 11 Attribute[2]: 1.3.6.1.4.1.311.21.20 (Client Information) Value[2][0]: Unknown Attribute type Client Id: = 9 ClientIdCertReq -- 9 User: XXXX Machine: XXXX Process: certreq Attribute[3]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP) Value[3][0]: Unknown Attribute type CSP Provider Info KeySpec = 0 Provider = Microsoft Software Key Storage Provider Signature: UnusedBits=0 Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA Algorithm Parameters: 05 00 Signature: UnusedBits=0 0000 57 40 73 ae ba e2 ca 88 5e e1 b9 42 48 5f 94 ae 0010 4f 13 89 b5 8b 26 0c 6e f0 2e a3 e5 b8 77 da 25 0020 5c a7 74 67 fa 2b 34 cf d3 59 3b 47 92 a1 11 31 0030 1a 73 a8 2d eb 9c 1b 7c 8f f9 42 44 eb 70 e8 52 0040 ef 36 1c 3c ce 87 36 87 c5 93 cc 56 0c 10 38 47 0050 0c 44 c0 be 0d f8 01 52 3c f8 15 d7 9e 56 d2 3b 0060 24 aa 08 ff 09 df 2e 2e ef 4e 8e 56 a6 f5 b1 2d 0070 9c 54 8a bc e8 40 e8 c1 b9 a9 1d 57 8a c9 c7 76 0080 d5 5d 48 e0 21 15 3d 2f 83 a4 21 c5 99 70 a1 67 0090 6d fa b8 b1 df 67 d6 cc f9 27 8a 51 be 02 6c 8f 00a0 d9 6a 1b 7e c8 17 02 df 74 55 56 b6 0d 9c fb e8 00b0 10 2c f5 71 e2 a2 20 34 1d 1e 30 1b 3a 83 af ca 00c0 ce cc c1 a2 6f 19 5a e3 1e da 9c 53 d7 90 4e 69 00d0 86 02 7c 94 af 35 68 a8 65 70 04 49 64 e5 c5 11 00e0 8c 65 96 99 ff 93 12 63 20 f1 15 aa 3d 4e 87 84 00f0 d1 f6 8d 5c 32 aa 09 ac f9 b0 b6 4b 2d fc 1d 8a Signature matches Public Key Key Id Hash(rfc-sha1): 1d 01 cb b9 ca 7a 0e 0d d6 51 28 b5 ba ca 34 4f 09 d1 1e 11 Key Id Hash(sha1): 87 27 07 bc ae c8 80 e3 94 e9 d1 5c 65 52 c3 b6 e6 5a 31 52 CertUtil: -dump command completed successfully. Also see the information in my policy.inf file used to generate the cross-CA request. This CSR is generated using certreq -new <PolicyinFile> <CSROut> [NewRequest] UseExistingKeySet = TRUE KeyContainer = "PS CA" MachineKeySet = TRUE ProviderName = "Microsoft Software Key Storage Provider" RequestType = PKCS10 Subject = "CN=X-CA Test" Once the CSR has been generated I then encode it into the correct format for Entrust by running this command: certutil -decode <CSRFile> <NewCSROut>.der Note that this CA uses the Microsoft Key Storage Provider and not the nCipher one as in my first post, however the principle is the same and I get the same result. If you have any other ideas it would be much appreciated, also there may be a delay in any of my replies as I'm off work this week and going away for a few days. Many Thanks Chris P.S. Keep up the CA powershell stuff Vadims, its awesome!

try to edit your request INF file by adding this line under NewRequest section: HashAlgorithm = SHA1 This will enforce to calculate request hash by using SHA1. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Many thanks Vadims, that did the trick! Easy when you know how :-) Cheers Chris