Microsoft
MicrosoftLatest FIPS 140-2 Level 3 and FIPS 140-3 have limited HASH algorithm to SHA256/384/512 and SHA-1 can not be used for security reasons. If I use a FIPS certified smart card to do certificate based smart card logon to Windows 10 and Windows 11 (Windows 10/11 has been on-prem Domain joined and has smart card logon certificate provisioned), the logon process will fail because the kerberos/PKINIT always uses SHA-1, even though I changed CSP/Minidriver to report only SHA256/384/512 algorithm support list to Windows, and I changed according to https://www.anoopcnair.com/configure-hash-algorithms-for-certificate-logon/ to disable SHA-1. I logged the process of lsass.exe calling CSP/Minidriver, it will create SHA-1 hash and then sign the SHA-1 digest later.
So how to use FIPS certified smart card (without SHA-1) to logon to windows 10/11?
