We have a SHA1 Infrastructure and we are wondering if converting the SHA1 CA to a SHA2 CA is doable or can a SHA1 CA issue SHA2 certificates. The OS is 2008r2, we have one offline root and one issuing CA. Thanks, Lori

you can configure a CA server to sign all requests by using SHA2 algorithms: certutil -setreg ca\csp\CNGHashAlgorithm SHA256 net stop certsvc && net start certsvc However this will cause that *all* certificate requests will be signed with specified algorithm.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com