In this post, I will be covering how to Migrate 2-Tier Windows PKI SHA-1 Algorithm Infrastructure to SHA-256(Simply called as SHA-2) Algorithm.
Why do we need this migration:
Server Authentication certificates: CA must begin issuing new certificates using only the SHA-2 algorithm after January 1, 2016. Windows will no longer trust certificates signed with SHA-1 after January 1, 2017.
What is cover in this Article,
1. How to convert ROOT CA(Offline CA) from SHA-1 to SHA-256
2. How to convert Subordinate CA from SHA-1 to SHA-256.
3. How to Request and install SHA-256 Certificates in the CA Servers.
what is not Covered..
1. To Learn how to How to install ROOT CA. Please refer the Article for the new installation.
2. To Learn how to How to install ROOT CA with SHA-256 Algorithm. Please refer the Article if you want to install with SHA-256.
3. To Learn How to install Subordinate CA. Please refer the Article if you want to install with SHA-256.
Prerequisites:
1. Before begin to do anything, Please take backup of CA, Certificates of CA with Private Keys,and Templates.
2. Keep the backups in the Safe place and ensure the passwords of the private keys are kept in the secured place.
3. Ensure there is no Oracle,Unix and Java Applications running with older versions which is not supporting for SHA-256 and it has only support for the SHA-1. If you have you may need to check how to make them supportable for SHA-256 or you have to skip the Migration if there is very high dependency is there for the SHA-1
Test every application within your environment to make sure that they will be able to do certificate chaining and revocation checking against certificates and CRLs that have been signed using one of the SHA2 algorithms. There are some hotfix’s so that Windows XP SP3 and Windows Server 2003 SP2 can properly chain a certificate that contains certification authorities that were signed using SHA2 algorithms.
Applications that use the Cryptography API cannot validate an X.509 certificate in Windows Server 2003
Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption.
Once all the Backups are verified and confirmed that applications support. we can begin by check the current CA support of Algorithm.
As I mentioned, We are migrating the 2-Tier PKI Infrastructure, Hence we need to check both ROOT CA and Subordinate CA.
In ROOT-CA, Below is the command to get the SHA Algorithm support in the CA,
Certutil –v –getreg ca\csp\HashAlgorithm
Also, you can check it from Certificate Authority Console,
Even you can verify in the Registry from the path,[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<Your CA Common Name>\CSP]
So above results shows that Root CA supporting currently only for SHA-1 Hash Algorithm and the Certificate of the ROOT-CA also has the certificate in SHA-1. Same verified the in Subordinate CA using the above commands
Okay..Let’s begin Migration,
Step 1: Migrating ROOT-CA Hash Algorithm of to SHA-256.
Run the below command and restart the Certificate service,
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
Now we have successfully migrated to SHA-256. restart the Certificate Service by running the below Powershell command.
Restart-service Certsvc
Once restarted, you can see now that ROOT-CA Hash Algorithm is SHA-256.Wherein ROOT-CA Certificate still has with SHA1.
Step 2: Renew the ROOTCA Certificate with SHA-256.
Since it is certificate algorithm change, You need to get the new certificate with SHA-256.
Right click on ROOTCA–>All Tasks –> Click on Renew CA Certificate
Click on Yes
Select Yes and Click on OK
Now, You can see the ROOT-CA Certificate also shows with Hash Algorithm as SHA-256. So far we have successfully migrated ROOT-CA to SHA-256.
Step 3: Migrating Subordinate CA Hash Algorithm to SHA-256.
Run the below command and restart the Certificate service,
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
Now we have successfully migrated, restart the Certificate Service using the below command
Restart-service certsvc
Once restarted, you can see now that Subordinate CA HASH Algorithm is migrated to SHA-256.Herein Certificate of the Subordinate still has with SHA1.
Step 2: Renew the Subordinate CA Certificate with SHA-256.
Since it is Certificate Algorithm change, You need to get the new certificate with SHA-256.
Right click on Subordinate CA–>All Tasks –> Click on Renew CA Certificate
Select Yes and Click on YES
If you’re ROOT-CA is reachable and in network, you can directly request from the Subordinate CA, ROOT-CA is not in network and offline, You need to take the request file and manually get the certificate and copy the file to the Subordinate CA. In my case, ROOT-CA is reachable,Hence i have requested directly.
Now, the Subordinate CA Certificate also in the SHA-256 hash Algorithm.
So now ROOT-CA and Subordinate CA both are migrated and supports for SHA-256 Algorithm. hereafter the issuing Certificates from the infra will be in the SHA-256.