![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
151 questions
Hello imprise,
Thank you for posting in Microsoft Community forum.
Based on the description, I understand your PKI is one tier PKI instructure, it is one online Enterprise root CA.
If so, it is possible to change the signing algorithm of an Enterprise Root Certification Authority (CA) from SHA-1 to SHA-256.
However, it involves careful planning and execution as it is a significant change that can affect your entire Public Key Infrastructure (PKI).
Below are the high-level steps to achieve this:
1.Assess the Impact:
Before making any changes, evaluate the impact of transitioning from SHA-1 to SHA-256. Ensure all applications, devices, and services in your environment support SHA-256.
2.Check the PKI is healthy:
You can open PKIview.msc console and check if the status of all the entries is OK.
3.Back Up the CA:
Make a full backup of your CA, including the CA database and private keys. This is crucial in case you need to roll back changes.
You can refer to back up steps in link below.
Migrating the Certification Authority | Microsoft Learn
4.Reconfigure the CA to Use SHA-256:
You'll need to update the CA to use SHA-256 as the hashing algorithm for future certificates. Note that existing certificates will not be affected; only new certificates issued after the change will use SHA-256.
Steps to Change the Hashing Algorithm:
1.Open an administrative command prompt on your CA server.
- Use the
certutiltool to change the hashing algorithm: cmd
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
3.Restart the Certificate Services to apply the changes: net stop certsvc net start certsvc
References
Certificate Services - Migrate form SHA1 to SHA2 (SHA256) | PeteNetLive
5.Reissue CA Certificate:
To reissue the CA certificate with the new SHA-256 algorithm, you have two options: using a new key or the existing key. If you use a new key, you'll essentially be creating a new CA.
Certificate Services - Migrate form SHA1 to SHA2 (SHA256) | PeteNetLive
The safer bet is to use the existing key:
- Open the Certification Authority console:
- Navigate to Certification Authority > Right-click your CA >All Tasks>Renew CA Certificate> Same key.
- Follow the wizard to complete the renewal. This will generate a new CA certificate that uses SHA-256.
6.Update Trust Anchors:
Distribute the new CA certificate to all clients and servers that trust the CA. This might involve updating Group Policy or manually distributing certificates to non-domain-joined devices.
7.Test the Changes:
Before rolling out to production, test the changes in a controlled environment. Ensure that new certificates are issued with SHA-256 and that they are trusted by clients and applications.
8.Monitor and Troubleshoot:
After the changes, monitor your environment for any issues related to certificate authentication or trust. Be prepared to troubleshoot and address issues promptly.
Notes:
- Transitioning to a new hashing algorithm is a major change. Ensure you have a comprehensive rollback plan in case things do not go as planned. - Consider consulting with PKI experts if you are unsure about the steps or the impact on your environment. By following these steps, you should be able to change the signing algorithm of your Enterprise Root CA from SHA-1 to SHA-256 successfully.
I hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou