Generate SHA512 certificate

bizcntradmin 191 Reputation points
2020-09-11T12:55:22.913+00:00

Hi Guys,

We have a two tier PKI

Provider: Microsoft Software Key Storage
Hash algorithm: SHA256

When i generate a certificate, it is sign using SHA256RSA, is it posible to have SHA384 or SHA512? thats the signature algorithm supported by the appliance.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,926 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hannah Xiong 6,231 Reputation points
    2020-09-14T01:45:42.53+00:00

    Hello,

    Thank you so much for posting here.

    Whatever hash algorithm you choose under the Select the hash algorithm for signing certificates issued by this CA determines how the root CA's own CA certificate is signed and how it will, by default, sign other certificates and CRLs it issues.

    24207-11.png

    Some applications supporting SHA-2 have problems with the larger SHA-2 key sizes, such as SHA-512. For example, TLS 1.2 supports SHA-256 and SHA-384, but not SHA-512.

    Here are some relevant links:
    https://social.technet.microsoft.com/Forums/en-US/b6ffa278-4a04-4609-ac35-8390f5ba9cb6/ldap-over-ssl-on-windows-2012r2-server-dcs-tls-12-not-working?forum=winserversecurity

    https://ucken.blogspot.com/2013/12/schannel-errors-on-lync-server.html

    https://learn.microsoft.com/en-us/archive/blogs/silvana/schannel-errors-on-scom-agent

    For more information, we could refer to:
    Implementing SHA-2 in Active Directory Certificate Services
    https://social.technet.microsoft.com/wiki/contents/articles/31296.implementing-sha-2-in-active-directory-certificate-services.aspx

    We could kindly have a check of the provided information to evaluate the limitation of SHA 512.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Hannah Xiong 6,231 Reputation points
    2020-09-18T09:13:29.43+00:00

    Hello,

    I am checking how the issue is going and I am wondering if the provided information was helpful.

    As mentioned before the hash algorithm was determined by the selection when install the CAs as following.

    For the two tier PKI, The hash algorithm chosen on the root CA determines how the Subordinate CA's certificate is signed; During the Subordinate CA install, the hash algorithm you select under the Select the hash algorithm for signing certificates used by this CA determines how the certificates and CRLs issued by the Subordinate CA are signed.

    It is okay to upgrade to SHA384 or SHA512 from SHA256. Before we make this change, we need to check in advance whether there is any application (devices) that does not support the hash algorithm SHA384 or SHA512. If so, this application request certificate from this renew CA root certificate with hash algorithm SHA384 or SHA512, the certificate may be not available.

    It can be changed by the registry CNGEncryptionAlgorithm. To use the certutil.exe command to set these values, use the following syntax:

    certutil -setreg ca\csp\CNGHashAlgorithm <Hash Algorithm>

    For example:certutil -setreg ca\csp\CNGHashAlgorithm SHA384

    Note: As with all changes, make sure you backup the settings before changing, and test thoroughly after the change.

    Thank you so much for your time and support.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments