Is it possible to change the hash algorithm when I renew the Root CA
My Root CA is installed on a Windows Server 2008. The Hash algorithm of Root CA in my environment is MD5. I would like to renew the Root CA and change the Hash algorithm to SHA1. Is it possible to change it?
Regards,
Terry | My Blog: http://terrytlslau.tls1.cc
May 1st, 2012 2:14pm
afaik, if you want to change CA certificate hash algorithm and/or CSP, you have to reinstall CA server (these values can be changed during CA service installation).My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2012 3:42pm
afaik, if you want to change CA certificate hash algorithm and/or CSP, you have to reinstall CA server (these values can be changed during CA service installation).My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
May 1st, 2012 3:51pm
Hi,
The hashing
algorithm chosen during the setup of a Certificate Authority determines how the certificates that the CA issues are digitally signed. It is a one
algorithm per CA scenario, so if your environment requires multiple algorithms for compatibility, then you will need multiple PKI hierarchies (one for each
algorithm.) Prior to Windows 2008, you had to rebuild the CA and decommision the entire PKI hierarchy to
change the signing algorithm used. In Windows 2008 and 2008 R2, we allow you to
change the algorithm and from that point forward it will digitally sign all new certificates with the updated
algorithm.
The
Certificate
Services Enhancements in Longhorn Server Whitepaper describing these steps can be found under the section
Configuring the Cryptographic Algorithms used by the CA.
Step 1: Verify the configuration of the CRL and AIA paths. Sometimes users will manually
change these paths to not include the crl name suffix variable that distinguish multiple certificates on a CA. This is important because the process of changing the
algorithm requires the renewal of the private key and results in administration of multiple CA certificates. When we publish multiple crt and crls, they will be identified as CAName and CAName(1.) You can verify these paths
include the variables by checking the registry keys below:
[HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CAname}
CRLPublicationURLs = "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://FCCA01.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public
Key Services,CN=Services,%%6%%10"
CACertPublicationURLs = "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://FCCA01.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"
Step 2: Modify the CSP parameters to specify the new
algorithm. The CSP may use the original CryptoAPI or Cryptography API:Next Generation - you can verify this by looking in the registry key
HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CAname}\CSP.
If you have the regvalues
CNGPublicKeyAlgorithm and CNGHashAlgorithm then your CSP is using Next Generation.
Change the
algorithm from MD5 to SHA1 and was using Cryptography API: Next Generation. The original registry value was:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\{CAname}\CSP]
"ProviderType"=dword:00000000
"Provider"="Microsoft Software Key Storage Provider"
"HashAlgorithm"=dword:00008003
"CNGPublicKeyAlgorithm"="RSA"
"CNGHashAlgorithm"="MD5"
"MachineKeyset"=dword:00000001
we changed it to
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\{CAname}\CSP]
"ProviderType"=dword:00000000
"Provider"="Microsoft Software Key Storage Provider"
"HashAlgorithm"=dword:00008004
"CNGPublicKeyAlgorithm"="RSA"
"CNGHashAlgorithm"="SHA1"
"MachineKeyset"=dword:00000001
Step 3: Restart the CA service. You can do this in the CA MMC. Right Click on the
CA and choose "Stop Service" and "Start Service".
Step 4: Renew the CA certificate with new Private Key. Right click on the CA and
choose "Renew CA certificate". Choose to renew the public and private key pair. On completion, this will result in the CA having two certificates. You will see that the old one has the MD5 for the Signature
Hash Algorithm and that the new certificate uses SHA1.
Hope this helps!
Best Regards
Elytis Cheng
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.
Elytis Cheng
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2012 9:45pm
Hello Elytis,
Thanks for your reply. I will try this solution in the test environment.
Regards,
Terry | My Blog: http://terrytlslau.tls1.cc
May 1st, 2012 11:12pm
Hello Elytis,
Thanks for your reply. I will try this solution in the test environment.
Regards,
Terry | My Blog: http://terrytlslau.tls1.cc
Free Windows Admin Tool Kit Click here and download it now
May 1st, 2012 11:20pm
Hi,
Glad to hear that it make sense.
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
May 2nd, 2012 2:50am
Hi,
Glad to hear that it make sense.
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2012 2:58am