Changes current Certification Authority (CA) cryptography settings.
Set-CACryptographyConfig -InputObject <CACryptography[]> [[-HashingAlgorithm] <Oid>] [[-EncryptionAlgorithm] <Oid>] [-AlternateSignatureAlgorithm] [-RestartCA] [<CommonParameters>]
Changes current Certification Authority (CA) cryptography settings. The following settings can be modified by this command:
Hashing Algorithm -- the algorithm that is used to hash and sign issued certificates and certificate revocation lists (CRLs).
Pulbic Key Algorithm -- the asymmetric algorithm that is used to encrypt the signature of the certificate or CRL. For example, change RSA to ECDSA algorithm.
Alternate Signature Algorithm -- instructs CA server to use PKCS#1 v2.1 signature format.
Note: Public Key Algorithm and Alternatate Signature Algorithm are not supported by legacy cryptographic service providers (aka CryptoAPI CSP). Currently only CAPI2 (Key Storage) providers support these settings.
Specifies existing CA cryptography configuration object. This object can be retrieved by running Get-CACryptographyConfig command.
Required? | True |
Position? | named |
Default value | |
Accept pipeline input? | true (ByValue, ByPropertyName) |
Accept wildcard characters? | False |
Specifies the new hashing and signature algorithm. You can pass either, Oid object that contains new algorithm information, algorithm friendly name or algorithm object identifier.
Required? | False |
Position? | 1 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
Specifies the new asymmetric algorithm. You can pass either, Oid object that contains new algorithm information, algorithm friendly name or algorithm object identifier.
Note: if the 'ProviderIsCNG' property of the cryptography configuration object is set to False, this parameter is ignored.
Required? | False |
Position? | 2 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
Specifies whether the CA server should use PKCS#1 v2.1 signature format which causes signatures like RSASSA-PSS (1.2.840.113549.1.1.10) signature algorithm. Not all systems and applications may recognize this signature format.
Note: if the 'ProviderIsCNG' property of the cryptography configuration object is set to False, this parameter is ignored.
Required? | False |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
Restarts CA service on the specified CA server to immediately apply changes.
Required? | False |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
PKI.CertificateServices.CACryptography
PKI.CertificateServices.CACryptography
Author: Vadims Podans
Blog: https://www.sysadmins.lv
PS C:\> Get-CertificationAuthority -Name MyCA | Get-CACryptographyConfig | Set-CACryptographyConfig -HashingAlgorithm SHA256 -RestartCA
This example retrieves existing CA cryptography configuration and changes hashing algorithm to 'SHA256'. After certificate service is restarted, all new issued certificates and CRLs will be signed by used a 'SHA256' signing algorithm.
PS C:\> Get-CertificationAuthority -Name MyCA | Get-CACryptographyConfig | Set-CACryptographyConfig -HashingAlgorithm SHA256 -AlternateSignatureAlgorithm -RestartCA
This example retrieves existing CA cryptography configuration and changes hashing algorithm to 'SHA256' and enforces CA server to use PKCS#1 v2.1 signature format. After certificate service is restarted, all new issued certificates and CRLs will be signed by used a PSS signing algorithm and the content will be hashed by using 'SHA256' hashing algorithm.
Get-CACryptographyConfig
Get-CertificationAuthority
Connect-CertificationAuthority