question

LotfiBOUCHERIT avatar image
0 Votes"
LotfiBOUCHERIT asked DaisyZhou-MSFT answered

active directory certificate authority - convert from sha1 to sha2

hello,
we have our Certificate authority installed and configured since Windows Server 2003, and now, it's in Windows Server 2012 R2. And its cryptographic algorithms use SHA1. Which is considered as weak encryption.
And all the generated certificates are not accepted for almost all systems (modern webbrowsers, systems...)
We would like to know, if converting to SHA2 (256), would impact the already delivered certificates or not?
Thank you in advance,

windows-server-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Is it root or subordinate CA?

0 Votes 0 ·

it is root CA

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @LotfiBOUCHERIT-4930,

I am so glad to receive your reply.

We can check via GUI.

Log on CA server and open Certification Authority.

Right click CA name and select Properties and click one CA root certificate, then you will see it.

For example:

Here is KSP and SHA256

106320-csp.png

Here is CSP and SHA1
106401-csp2.png

Hope the information above is also helpful.

Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



csp.png (34.0 KiB)
csp2.png (61.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered

If it is root CA, then its own SHA1 signature is acceptable, because clients use explicit/direct trust. What is not acceptable -- to use SHA1 in certificates that use implicit/indirect trust through chain. Since your CA was migrated from original Windows Server 2003, you have to migrate the key from legacy CSP to modern KSP in order to utilize SHA2 signatures as outlined in the following article: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn771627(v=ws.11). You cannot use SHA2 until you migrate keys to KSP.
there are instructions, on how to force CA to use modern signatures:

 certutil -setreg ca\csp\CNGHashAlgorithm SHA256
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @LotfiBOUCHERIT-4930,

Thank you for posting here.

Hope the information provided by Crypt32 is helpful to you.

Q: We would like to know, if converting to SHA2 (256), would impact the already delivered certificates or not?
A: From the following article, we can see:
What about certificates that have already been issued?
We are NOT going to revoke any CA certificates that have already been issued so existing certificates will remain unaffected.

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)
https://www.petenetlive.com/KB/Article/0001243

Reference
Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 1
https://devblogs.microsoft.com/scripting/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-1/

Hope the information above is also helpful.

Should you have any question or concern, please feel free to let us know.

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LotfiBOUCHERIT avatar image
0 Votes"
LotfiBOUCHERIT answered

@DaisyZhou-MSFT @Crypt32 thank you both for your answers, especially @DaisyZhou-MSFT
I just would like to know, how can i know, what service provider is used now?
I found on internet, that i should use some commands:
certutil -csplist
certutil -csptest
and other commands, but none of them said precisely what provider we have?
thank you in advance for your help

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LotfiBOUCHERIT avatar image
0 Votes"
LotfiBOUCHERIT answered

Hello @DaisyZhou-MSFT
Thank you so much for your precious help
Our CA is KSP...
I'll proceed with changing to SHA2 during this week and keep you updated,
Thank you

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @LotfiBOUCHERIT-4930,

Thank you for your update and accepting my reply as answer.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.