%3CLINGO-SUB%20id%3D%22lingo-sub-1129040%22%20slang%3D%22en-US%22%3EUpgrade%20Certification%20Authority%20to%20SHA256%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1129040%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Sep%2019%2C%202013%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EA%20common%20question%20in%20the%20field%20is%20about%20upgrading%20a%20certification%20authority%20running%20on%20Windows%20Server%202003%20to%20use%20Crypto%20Next%20Generation%20(CNG)%20to%20support%20SHA256.%20CNG%20was%20introduced%20in%20Windows%20Server%202008%20and%20higher%20operating%20systems%2C%20as%20a%20result%2C%20%3CBR%20%2F%3Ean%20upgrade%20to%20the%20operating%20system%20is%20required.%20After%20upgrading%20the%20certification%20authority%E2%80%99s%20operating%20system%2C%20you%20will%20need%20to%20run%20%3CBR%20%2F%3Ethe%20following%20commands%20from%20an%20elevated%20command%20line%20window%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20courier%20new%2Ccourier%3B%22%3E%20certutil%20-setreg%26nbsp%3Bca%5Ccsp%5CCNGHashAlgorithm%20SHA256%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20courier%20new%2Ccourier%3B%22%3E%20net%20stop%20certsvc%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20courier%20new%2Ccourier%3B%22%3E%20net%20start%20certsvc%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMake%20sure%20you%20are%20%26nbsp%3Busing%20a%20Key%20Storage%20Provider%20that%20supports%20SHA256%20%E2%80%93%20for%20example%20the%20Microsoft%20Key%20Storage%20Provider%26nbsp%3B-%20and%20then%20renewing%20the%20certification%20authority%E2%80%99s%20certificate.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20this%20proves%20to%20be%20too%20complicated%2C%20then%20you%20can%20simply%20issue%20certificates%20to%20clients%20using%20SHA256%20even%20if%20the%20entire%20certification%20authority%E2%80%99s%20chain%20is%20signed%20with%20SHA1%20certificates.%20The%20applications%20consuming%20the%20SHA256%20certificates%20have%20to%20support%20the%20SHA256%20signature%20on%20any%20given%20certificate%20in%20the%20chain.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAmer%20Kamal%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESenior%20Premier%20Field%20Engineer%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1129040%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20TECHNET%20on%20Sep%2019%2C%202013%20A%20common%20question%20in%20the%20field%20is%20about%20upgrading%20a%20certification%20authority%20running%20on%20Windows%20Server%202003%20to%20use%20Crypto%20Next%20Generation%20(CNG)%20to%20support%20SHA256.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1129040%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAmerKamal%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

First published on TECHNET on Sep 19, 2013

A common question in the field is about upgrading a certification authority running on Windows Server 2003 to use Crypto Next Generation (CNG) to support SHA256. CNG was introduced in Windows Server 2008 and higher operating systems, as a result,
an upgrade to the operating system is required. After upgrading the certification authority’s operating system, you will need to run
the following commands from an elevated command line window:

 

 

 

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

 

net stop certsvc

 

net start certsvc

 

Make sure you are  using a Key Storage Provider that supports SHA256 – for example the Microsoft Key Storage Provider - and then renewing the certification authority’s certificate.

 

 

 

If this proves to be too complicated, then you can simply issue certificates to clients using SHA256 even if the entire certification authority’s chain is signed with SHA1 certificates. The applications consuming the SHA256 certificates have to support the SHA256 signature on any given certificate in the chain.

 

Amer Kamal

 

Senior Premier Field Engineer