Update Microsoft certificate authorities to use the SHA-2 hashing algorithm

Summary

Microsoft is announcing a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Recommendation: Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2. Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity.

Configure Microsoft certificate authorities SHA-2

Confirm your current configuration

EDIT 04/2015: Your Operating System must support SHA-256.

  1. Start your the Certification Authority Tools
  2. Select your Certificate Authority and open the Properties.
    Capture001
  3. On the General tab, you can see your actual Hash algorithm (in my case SHA-1).
    Capture007
  4. You can look at the your Certificate Authority Certificate properties, using View Certificate, browse to Details. As you can see my current Signature hash algorithm is SHA1 for this certificate.
    Capture003

Move your Certificate Authority to SHA256

EDIT 04/2015: Your CA must be in a running state before execute the folowing commands.

  1. Open a Windows Powershell.
  2. Enter the command:
    certutil -setreg ca\csp\CNGHashAlgorithm SHA256

    Capture004

  3. Restart your Certificate Authority service using the Stop this service and Start this Servicebutton.
    Capture005

Your Certificate Authority is now issuing certificate using SHA256 as Hash Algorithm, but your current certificate is still a SHA-1 hash algorithm.

Renew your Certificate Authority Certificate to use SHA256

  1. Select your Certificate Authority and open the All Tasks line, Then select Renew CA Certificate…
    Capture101
  2. Accept the request to stop the Active Directory Certificate Service
  3. You can choose to generate a new signing key.
    Capture102
  4. Active Directory Certificate Service will restart

Your Certificate Authority is now using the new certificate that you issued with SHA256 as hash algorithm.

Confirm your current configuration

  1. Select your Certificate Authority and open the Properties
    Capture001
  2. On the General tab, you can see your actual Hash algorithm (in my case SHA256).
    Capture007
  3. You can look at the your Certificate Authority Certificate properties, using View Certificate, browse to Details. As you can see my current Signature hash algorithm is SHA256 for this certificate.
    Capture103

No Comments

Post a Comment