Summary
Microsoft is announcing a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
Recommendation: Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2. Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity.
Confirm your current configuration
EDIT 04/2015: Your Operating System must support SHA-256.
- Start your the Certification Authority Tools
- Select your Certificate Authority and open the Properties.
- On the General tab, you can see your actual Hash algorithm (in my case SHA-1).
- You can look at the your Certificate Authority Certificate properties, using View Certificate, browse to Details. As you can see my current Signature hash algorithm is SHA1 for this certificate.
Move your Certificate Authority to SHA256
EDIT 04/2015: Your CA must be in a running state before execute the folowing commands.
- Open a Windows Powershell.
- Enter the command:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
- Restart your Certificate Authority service using the Stop this service and Start this Servicebutton.
Your Certificate Authority is now issuing certificate using SHA256 as Hash Algorithm, but your current certificate is still a SHA-1 hash algorithm.
Renew your Certificate Authority Certificate to use SHA256
- Select your Certificate Authority and open the All Tasks line, Then select Renew CA Certificate…
- Accept the request to stop the Active Directory Certificate Service
- You can choose to generate a new signing key.
- Active Directory Certificate Service will restart
Your Certificate Authority is now using the new certificate that you issued with SHA256 as hash algorithm.
Confirm your current configuration
- Select your Certificate Authority and open the Properties
- On the General tab, you can see your actual Hash algorithm (in my case SHA256).
- You can look at the your Certificate Authority Certificate properties, using View Certificate, browse to Details. As you can see my current Signature hash algorithm is SHA256 for this certificate.
