active directory certificate authority - convert from sha1 to sha2

Lotfi BOUCHERIT 91 Reputation points
2021-06-14T10:25:25.817+00:00

hello,
we have our Certificate authority installed and configured since Windows Server 2003, and now, it's in Windows Server 2012 R2. And its cryptographic algorithms use SHA1. Which is considered as weak encryption.
And all the generated certificates are not accepted for almost all systems (modern webbrowsers, systems...)
We would like to know, if converting to SHA2 (256), would impact the already delivered certificates or not?
Thank you in advance,

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,807 questions
{count} votes

Accepted answer
  1. Daisy Zhou 22,476 Reputation points Microsoft Vendor
    2021-06-17T02:08:49.32+00:00

    Hello @LotfiBOUCHERIT-4930,

    I am so glad to receive your reply.

    We can check via GUI.

    Log on CA server and open Certification Authority.

    Right click CA name and select Properties and click one CA root certificate, then you will see it.

    For example:

    Here is KSP and SHA256

    106320-csp.png

    Here is CSP and SHA1
    106401-csp2.png

    Hope the information above is also helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. Vadims Podāns 9,121 Reputation points MVP
    2021-06-14T21:17:39.343+00:00

    If it is root CA, then its own SHA1 signature is acceptable, because clients use explicit/direct trust. What is not acceptable -- to use SHA1 in certificates that use implicit/indirect trust through chain. Since your CA was migrated from original Windows Server 2003, you have to migrate the key from legacy CSP to modern KSP in order to utilize SHA2 signatures as outlined in the following article: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn771627(v=ws.11). You cannot use SHA2 until you migrate keys to KSP.
    there are instructions, on how to force CA to use modern signatures:

    certutil -setreg ca\csp\CNGHashAlgorithm SHA256
    
    0 comments No comments

  2. Daisy Zhou 22,476 Reputation points Microsoft Vendor
    2021-06-15T01:53:13.4+00:00

    Hello @LotfiBOUCHERIT-4930,

    Thank you for posting here.

    Hope the information provided by Crypt32 is helpful to you.

    Q: We would like to know, if converting to SHA2 (256), would impact the already delivered certificates or not?
    A: From the following article, we can see:
    What about certificates that have already been issued?
    We are NOT going to revoke any CA certificates that have already been issued so existing certificates will remain unaffected.

    Certificate Services – Migrate from SHA1 to SHA2 (SHA256)
    https://www.petenetlive.com/KB/Article/0001243

    Reference
    Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 1
    https://devblogs.microsoft.com/scripting/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-1/

    Hope the information above is also helpful.

    Should you have any question or concern, please feel free to let us know.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best Regards,
    Daisy Zhou

    ============================================
    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  3. Lotfi BOUCHERIT 91 Reputation points
    2021-06-16T10:30:47.197+00:00

    @Daisy Zhou @Vadims Podāns thank you both for your answers, especially @Daisy Zhou
    I just would like to know, how can i know, what service provider is used now?
    I found on internet, that i should use some commands:
    certutil -csplist
    certutil -csptest
    and other commands, but none of them said precisely what provider we have?
    thank you in advance for your help

    0 comments No comments

  4. Lotfi BOUCHERIT 91 Reputation points
    2021-06-17T08:35:40.55+00:00

    Hello @Daisy Zhou
    Thank you so much for your precious help
    Our CA is KSP...
    I'll proceed with changing to SHA2 during this week and keep you updated,
    Thank you

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.