Deprecate SHA 1 on Microsoft CA

If you have a Server 2008 R2 or later single-root CA without subordinates, you should update the CA to use SHA-2. Doing so will ensure that subsequent certificates generated will use the SHA-2 algorithm. To check which hash algorithm is being used, you can right-click the CA and go to the General tab. If SHA-1 is listed, you can run the following certutil command to configure the CA to use the SHA-256 algorithm:

certutil -setreg ca\csp\CNGHashAlgorithm SHA256M

Example Output:

C:\Users\Administrator>certutil -setreg ca\csp\CNGHashAlgorithm SHA256

Old Value:
  CNGHashAlgorithm REG_SZ = SHA1

New Value:
  CNGHashAlgorithm REG_SZ = SHA256
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.


This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies