If you have a Server 2008 R2 or later single-root CA without subordinates, you should update the CA to use SHA-2. Doing so will ensure that subsequent certificates generated will use the SHA-2 algorithm. To check which hash algorithm is being used, you can right-click the CA and go to the General tab. If SHA-1 is listed, you can run the following certutil command to configure the CA to use the SHA-256 algorithm:

certutil -setreg ca\csp\CNGHashAlgorithm SHA256M

Example Output:

C:\Users\Administrator>certutil -setreg ca\csp\CNGHashAlgorithm SHA256
SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ucce9-UCCECVP9-A-CA\csp:

Old Value:
  CNGHashAlgorithm REG_SZ = SHA1

New Value:
  CNGHashAlgorithm REG_SZ = SHA256
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.

Ref: http://windowsitpro.com/security/your-organization-using-sha-1-ssl-certificates

  • vendors/microsoft/ca.txt
  • Last modified: 2018/05/17 19:56
  • by gerardorourke