Retired Microsoft Blog disclaimer

This directory is a mirror of retired "Windows PKI Team" TechNet blog and is provided as is. All posting authorship and copyrights belong to respective authors.
Original URL:
Post name: Upgrade Certification Authority to SHA256
Original author: Amerk [MSFT]
Posting date: 2013-09-19T10:51:00+00:00

A common question in the field is about upgrading a certification authority running on Windows Server 2003 to use Crypto Next Generation (CNG) to support SHA256. CNG was introduced in Windows Server 2008 and higher operating systems, as a result,
an upgrade to the operating system is required. After upgrading the certification authority’s operating system, you will need to run
the following commands from an elevated command line window:

certutil -setregca\csp\CNGHashAlgorithm SHA256
net stop certsvc
net start certsvc

Make sure you are using a Key Storage Provider that supports SHA256 – for example the Microsoft Key Storage Provider- and then renewing the certification authority’s certificate.

If this proves to be too complicated, then you can simply issue certificates to clients using SHA256 even if the entire certification authority’s chain is signed with SHA1 certificates. The applications consuming the SHA256 certificates have to support the SHA256 signature on any given certificate in the chain.

Amer Kamal

Senior Premier Field Engineer

Share this article:


Comments are closed.