Upgrading Windows Server 2008 R2 Certificate Authority to SHA-256


After implementing SSL for our WordPress site, I noticed that the padlock in chrome was not green. I knew because we were using a self-signed internal CA it wouldn’t be perfect, but I was still curious. So checking it through www.whynopadlock.com it indicated that the SSL certificate was using SHA-1 algorithm. Well, current searches revealed that this will soon be deprecated and that we were in need of updating our CAs to SHA-2 in order to avoid padlock warning in chrome (and all other necessary security requirements). Here’s a quick synopsis of the steps taken on the Windows Server 2008 R2 CA role server.

  • open administrative command prompt
  • ‘certutil -setreg ca\csp\CNGHashAlgorithm SHA256’
  • net stop certsvc && net start certsvc’
  • observe the CA properties now showing SHA256 for ‘Hash Algorithm’

CA update
The next steps involved updating the CA certificate itself:

  • in Certificate Authority MMC console, select the CA and open All Tasks, select Renew CA Certifcate.
  • Accept the request to stop the Active Directory Certificate Service
  • Select Yes to generate a new signing key.

To confirm the configuration:

  • Select the CA and open Properties
  • On the General tab, observe the actual Hash Algorithm of SHA256
  • View the certificate properties and browse the Details. Under the Signature hash Algorithm it should display SHA256. Notice that the previous certificate details show SHA1.

All certificates generated by the CA should now be using SHA256 Hash Alogirthm.

About the Author

Nizam Mohamed

Nizam Mohamed is a technical architect, specialising in cloud solutions, virtualization and end-user computing. Other technology interests include Enterprise Technologies, Cybersecurity and Enterprise Desktop Management.

You may also like these