Artykuł

Windows Server – How to change SHA1 to SHA256, SHA384 or SHA512 options in Certification Authority

Since SHA1 became insecure and everyone around the web is forcing the change to higher security standards such as SHA256, SHA384 or SHA512 Windows Administrators should also update their internal Microsoft Active Directory Certificate Services to force higher cryptographic provider.

Solution

There are 2 things that needs to be done to secure your CA servers.

First one is to change internal CSP for the servers by using following commands:

Those commands should be executed on all your CA servers (CA Root and CA Issue)

Second place to change settings is to modify templates that are used by users / administrators to generate new certificates.

Open up Certificate Templates

CA_CSP_Change1

Find certificate you want to update

CA_CSP_Change2

Open up certificate template you need to change

CA_CSP_Change3

Make sure that Microsoft Enhanced RSA and AES Cryptographic Provider is selected.

CA_CSP_Change4

You can of course have multiple providers selected but if you want to limit user choice select only one. Save settings and you're good to go!

Now when you go to website to generate new certificate https://<YourCertServer.corp/certsrv/ simply choose Request a certificate

CA_CSP_Change6

After choosing new certificate, we have to pick the modified Certificate Template

CA_CSP_Change5

And under Hash Algorithm new options  from SHA1, thru SHA256, SHA384, SHA512 to finish up on MD5. If you don't see those options make sure under CSP provider Microsoft Enhanced RSA and AES Cryptographic Provider is chosen. And you're good to go!

Tags: , , , , , , , , , , , , ,

This is a unique website which will require a more modern browser to work! Please upgrade today!