Is it possible to change the hash algorithm when I renew the Root CA
My Root CA is installed on a Windows Server 2008. The Hash algorithm of Root CA in my environment is MD5. I would like to renew the Root CA and change the Hash algorithm to SHA1. Is it possible to change it? Regards, Terry | My Blog: http://terrytlslau.tls1.cc
May 1st, 2012 2:14pm

afaik, if you want to change CA certificate hash algorithm and/or CSP, you have to reinstall CA server (these values can be changed during CA service installation).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2012 3:42pm

afaik, if you want to change CA certificate hash algorithm and/or CSP, you have to reinstall CA server (these values can be changed during CA service installation).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
May 1st, 2012 3:51pm

Hi, The hashing algorithm chosen during the setup of a Certificate Authority determines how the certificates that the CA issues are digitally signed. It is a one algorithm per CA scenario, so if your environment requires multiple algorithms for compatibility, then you will need multiple PKI hierarchies (one for each algorithm.) Prior to Windows 2008, you had to rebuild the CA and decommision the entire PKI hierarchy to change the signing algorithm used. In Windows 2008 and 2008 R2, we allow you to change the algorithm and from that point forward it will digitally sign all new certificates with the updated algorithm. The Certificate Services Enhancements in Longhorn Server Whitepaper describing these steps can be found under the section Configuring the Cryptographic Algorithms used by the CA. Step 1: Verify the configuration of the CRL and AIA paths. Sometimes users will manually change these paths to not include the crl name suffix variable that distinguish multiple certificates on a CA. This is important because the process of changing the algorithm requires the renewal of the private key and results in administration of multiple CA certificates. When we publish multiple crt and crls, they will be identified as CAName and CAName(1.) You can verify these paths include the variables by checking the registry keys below: [HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CAname} CRLPublicationURLs = "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://FCCA01.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10" CACertPublicationURLs = "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://FCCA01.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11" Step 2: Modify the CSP parameters to specify the new algorithm. The CSP may use the original CryptoAPI or Cryptography API:Next Generation - you can verify this by looking in the registry key HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CAname}\CSP. If you have the regvalues CNGPublicKeyAlgorithm and CNGHashAlgorithm then your CSP is using Next Generation. Change the algorithm from MD5 to SHA1 and was using Cryptography API: Next Generation. The original registry value was: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\{CAname}\CSP] "ProviderType"=dword:00000000 "Provider"="Microsoft Software Key Storage Provider" "HashAlgorithm"=dword:00008003 "CNGPublicKeyAlgorithm"="RSA" "CNGHashAlgorithm"="MD5" "MachineKeyset"=dword:00000001 we changed it to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\{CAname}\CSP] "ProviderType"=dword:00000000 "Provider"="Microsoft Software Key Storage Provider" "HashAlgorithm"=dword:00008004 "CNGPublicKeyAlgorithm"="RSA" "CNGHashAlgorithm"="SHA1" "MachineKeyset"=dword:00000001 Step 3: Restart the CA service. You can do this in the CA MMC. Right Click on the CA and choose "Stop Service" and "Start Service". Step 4: Renew the CA certificate with new Private Key. Right click on the CA and choose "Renew CA certificate". Choose to renew the public and private key pair. On completion, this will result in the CA having two certificates. You will see that the old one has the MD5 for the Signature Hash Algorithm and that the new certificate uses SHA1. Hope this helps! Best Regards Elytis Cheng TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here. Elytis Cheng TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2012 9:45pm

Hello Elytis, Thanks for your reply. I will try this solution in the test environment. Regards, Terry | My Blog: http://terrytlslau.tls1.cc
May 1st, 2012 11:12pm

Hello Elytis, Thanks for your reply. I will try this solution in the test environment. Regards, Terry | My Blog: http://terrytlslau.tls1.cc
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2012 11:20pm

Hi, Glad to hear that it make sense. Best Regards Elytis ChengElytis Cheng TechNet Community Support
May 2nd, 2012 2:50am

Hi, Glad to hear that it make sense. Best Regards Elytis ChengElytis Cheng TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 2:58am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics