How to Migrate PKI 2-Tier SHA1 to SHA256 in Windows Server 2012 R2

In this post, I will be covering how to Migrate 2-Tier Windows PKI SHA-1 Algorithm Infrastructure to SHA-256(Simply called as SHA-2) Algorithm.

Why do we need this migration:

Server Authentication certificates: CA must begin issuing new certificates using only the SHA-2 algorithm after January 1, 2016. Windows will no longer trust certificates signed with SHA-1 after January 1, 2017.

What is cover in this Article,

1. How to convert ROOT CA(Offline CA)  from SHA-1 to SHA-256

2. How to convert Subordinate CA from SHA-1 to SHA-256.

3. How to Request and install SHA-256 Certificates in the CA Servers.

what is not Covered..

1. To Learn how to How to install ROOT CA. Please refer the Article for the new installation.

2. To Learn how to How to install ROOT CA with SHA-256 Algorithm. Please refer the Article if you want to install with SHA-256.

3. To Learn How to install Subordinate CA. Please refer the Article if you want to install with SHA-256.

Prerequisites:

1. Before begin to do anything, Please take backup of CA, Certificates of CA with Private Keys,and Templates.

2. Keep the backups in the Safe place and ensure the passwords of the private keys are kept in the secured place.

3. Ensure there is no Oracle,Unix and Java Applications running with older versions which is not supporting for SHA-256 and it has only support for the SHA-1. If you have you may need to check how to make them supportable for SHA-256 or you have to skip the Migration if there is very high dependency is there for the SHA-1

Test every application within your environment to make sure that they will be able to do certificate chaining and revocation checking against certificates and CRLs that have been signed using one of the SHA2 algorithms. There are some hotfix’s so that Windows XP SP3 and Windows Server 2003 SP2 can properly chain a certificate that contains certification authorities that were signed using SHA2 algorithms.

http://support.microsoft.com/kb/968730/EN-US

Applications that use the Cryptography API cannot validate an X.509 certificate in Windows Server 2003

http://support.microsoft.com/kb/938397/EN-US

Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption.

Once all the Backups are verified and confirmed that applications support. we can begin by check the current CA support of Algorithm.

As I mentioned, We are migrating the 2-Tier PKI Infrastructure, Hence we need to check both ROOT CA and Subordinate CA.

In ROOT-CA, Below is the command to get the SHA Algorithm support in the CA,

Certutil –v –getreg ca\csp\HashAlgorithm  

3

Also, you can check it from Certificate Authority Console,

1 2

Even you can verify in the Registry from the path,[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<Your CA Common Name>\CSP]

4

So above results shows that  Root CA supporting currently only for  SHA-1 Hash Algorithm and the Certificate of the ROOT-CA also has the certificate in SHA-1. Same verified the in Subordinate CA using the above commands

Okay..Let’s begin Migration,

Step 1:  Migrating  ROOT-CA Hash Algorithm of  to SHA-256.

Run the below command and restart the Certificate service,

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

20

Now we have successfully migrated to SHA-256. restart the Certificate Service by running the below Powershell command.

Restart-service Certsvc

Once restarted, you can see now that ROOT-CA Hash Algorithm is SHA-256.Wherein ROOT-CA Certificate still has with SHA1.

7

Step 2: Renew the ROOTCA Certificate with SHA-256.

Since it is certificate algorithm change, You need to get the new certificate with SHA-256.

Right click on ROOTCA–>All Tasks –> Click on Renew CA Certificate

8

Click on Yes

9

Select Yes and Click on OK

10

Now, You can see the ROOT-CA Certificate also shows with Hash Algorithm as SHA-256. So far we have successfully migrated ROOT-CA to SHA-256.

11

Step 3:  Migrating Subordinate CA Hash Algorithm to SHA-256.

Run the below command and restart the Certificate service,

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

13

Now we have successfully migrated, restart the Certificate Service using the below command

Restart-service certsvc

Once restarted, you can see now that Subordinate CA HASH Algorithm is migrated to SHA-256.Herein Certificate of the Subordinate still has with SHA1.

14

Step 2: Renew the Subordinate CA Certificate with SHA-256.

Since it is Certificate Algorithm change, You need to get the new certificate with SHA-256.

Right click on Subordinate CA–>All Tasks –> Click on Renew CA Certificate

15

Select Yes and Click on YES

16

If you’re ROOT-CA is reachable and in network, you can directly request from the Subordinate CA, ROOT-CA is not in network and offline, You need to take the request file and manually get the certificate and copy the file to the Subordinate CA. In my case, ROOT-CA is reachable,Hence i have requested directly.

17

Now, the Subordinate CA Certificate also in the SHA-256 hash Algorithm.

18

So now ROOT-CA and Subordinate CA both are migrated and supports for SHA-256 Algorithm. hereafter the issuing Certificates from the infra will be in the SHA-256.

19

Author Bio

Radhakrishnan Govindan

4 thoughts on “How to Migrate PKI 2-Tier SHA1 to SHA256 in Windows Server 2012 R2”

  1. Hi!
    Thank you for post. It’s very helpful for us.

    Can you tell me if we have to renew all issued certificates by Subordinate CA?
    We are going to update only Subordinate CA.

      1. Thank you for answer.
        I mean something another.
        If we update only subordinate CA, all the certificates issued starts to be expired?
        Root CA staing without changes.

        1. SUBCA Will get an option to issue SHA-2 Certificates with ROOTCA SHA1 Certificates..all the issued certificates are still valid. wherein SUBCA will get new certificate once Hash value changed from SHA-1 to SHA-256. post that SUBCA will start issuing the Certificate in SHA-256 as well.all the machines will get the certificates with SHA-256 once the existing SHA-1 Certificates coming for renewal. Hope it clarifies..

Leave a Reply

Your email address will not be published. Required fields are marked *