SHA-1 in root CA for SCCM CB ssetup?

Eaven HUANG 2,156 Reputation points

I noticed that our root CA (hosted in DC) is still using SHA-1. Currently we are running into HTTPS issue.
I'm wondering

Will Sha-1 still support SCCM Current Branch, or this could be the root cause that client PC can't sign PKI?
If SHA-2 is a must, how can I upgrade to SHA-2 without impacting our DC? no reboot if possible.
I guess even if I used a member server to install a new CA role, it can't host SHA-256 directly? if it still used the root CA.


Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,186 Reputation points Microsoft Employee

    SHA-1 is completely deprecated and considered insecure and unsafe for all purposes. I doubt we've done anything to cripple it in ConfigMgr, however, Windows may have.

    Moving your PKI infra to SHA-2 is unrelated to your DC unless you actually have your CA set up on a DC in which case it's time to probably create a new PKI. that's a much bigger discussion though and not directly related to ConfigMgr and I'd highly recommend that you involve a PKI smart person in that conversation and effort.

    Also, keep in mind that with the latest versions of ConfigMgr, you do not need to use a PKI to support remotely connected Internet clients thus if that's your sole purpose for using PKI certs you may also consider moving away from them. This will depend on your full requirements including non-ConfigMgr related security requirements that your org may have.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Simon Ren-MSFT 32,141 Reputation points Microsoft Vendor


    Thanks for posting in Microsoft MECM Q&A forum.

    Effective January 1, 2017, Windows will no longer trust certificates signed with SHA-1. Per the official document, we need to use SHA-2 certificate for MECM. Refer to:
    Supported certificate types


    For more information about migrating from SHA1 to SHA2, you could refer to:
    SHA1 Key Migration to SHA256 for a two tier PKI hierarchy
    Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

    Hope it helps. Have a nice day!

    Best regards,

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.