Microsoft CA
Deprecate SHA 1 on Microsoft CA
If you have a Server 2008 R2 or later single-root CA without subordinates, you should update the CA to use SHA-2. Doing so will ensure that subsequent certificates generated will use the SHA-2 algorithm. To check which hash algorithm is being used, you can right-click the CA and go to the General tab. If SHA-1 is listed, you can run the following certutil command to configure the CA to use the SHA-256 algorithm:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256M
Example Output:
C:\Users\Administrator>certutil -setreg ca\csp\CNGHashAlgorithm SHA256 SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ucce9-UCCECVP9-A-CA\csp: Old Value: CNGHashAlgorithm REG_SZ = SHA1 New Value: CNGHashAlgorithm REG_SZ = SHA256 CertUtil: -setreg command completed successfully. The CertSvc service may need to be restarted for changes to take effect.
Ref: http://windowsitpro.com/security/your-organization-using-sha-1-ssl-certificates