top of page

How to Migrate PKI 2-Tier SHA1 to SHA256 in Windows Server 2012 R2

In this post, I will be covering how to Migrate 2-Tier Windows PKI SHA-1 Algorithm Infrastructure to SHA-256(Simply called as SHA-2) Algorithm.

Why do we need this migration:

Server Authentication certificates: CA must begin issuing new certificates using only the SHA-2 algorithm after January 1, 2016. Windows will no longer trust certificates signed with SHA-1 after January 1, 2017.

What is cover in this Article,

1. How to convert ROOT CA(Offline CA)  from SHA-1 to SHA-256

2. How to convert Subordinate CA from SHA-1 to SHA-256.

3. How to Request and install SHA-256 Certificates in the CA Servers.

what is not Covered..

1. To Learn how to How to install ROOT CA. Please refer the Article for the new installation.

2. To Learn how to How to install ROOT CA with SHA-256 Algorithm. Please refer the Article if you want to install with SHA-256.

3. To Learn How to install Subordinate CA. Please refer the Article if you want to install with SHA-256.


1. Before begin to do anything, Please take backup of CA, Certificates of CA with Private Keys,and Templates.

2. Keep the backups in the Safe place and ensure the passwords of the private keys are kept in the secured place.

3. Ensure there is no Oracle,Unix and Java Applications running with older versions which is not supporting for SHA-256 and it has only support for the SHA-1. If you have you may need to check how to make them supportable for SHA-256 or you have to skip the Migration if there is very high dependency is there for the SHA-1

Test every application within your environment to make sure that they will be able to do certificate chaining and revocation checking against certificates and CRLs that have been signed using one of the SHA2 algorithms. There are some hotfix’s so that Windows XP SP3 and Windows Server 2003 SP2 can properly chain a certificate that contains certification authorities that were signed using SHA2 algorithms.

Applications that use the Cryptography API cannot validate an X.509 certificate in Windows Server 2003

Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption.

Once all the Backups are verified and confirmed that applications support. we can begin by check the current CA support of Algorithm.

As I mentioned, We are migrating the 2-Tier PKI Infrastructure, Hence we need to check both ROOT CA and Subordinate CA.

In ROOT-CA, Below is the command to get the SHA Algorithm support in the CA,

Certutil –v –getreg ca\csp\HashAlgorithm  

Also, you can check it from Certificate Authority Console,


Even you can verify in the Registry from the path,[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<Your CA Common Name>\CSP]


So above results shows that  Root CA supporting currently only for  SHA-1 Hash Algorithm and the Certificate of the ROOT-CA also has the certificate in SHA-1. Same verified the in Subordinate CA using the above commands

Okay..Let’s begin Migration,

Step 1: Migrating  ROOT-CA Hash Algorithm of  to SHA-256.

Run the below command and restart the Certificate service,

certutil -setreg ca\csp\CNGHashAlgorithm SHA256


Now we have successfully migrated to SHA-256. restart the Certificate Service by running the below Powershell command.

Restart-service Certsvc

Once restarted, you can see now that ROOT-CA Hash Algorithm is SHA-256.Wherein ROOT-CA Certificate still has with SHA1.


Step 2: Renew the ROOTCA Certificate with SHA-256.

Since it is certificate algorithm change, You need to get the new certificate with SHA-256.

Right click on ROOTCA–>All Tasks –> Click on Renew CA Certificate


Click on Yes


Select Yes and Click on OK


Now, You can see the ROOT-CA Certificate also shows with Hash Algorithm as SHA-256. So far we have successfully migrated ROOT-CA to SHA-256.


Step 3:  Migrating Subordinate CA Hash Algorithm to SHA-256.

Run the below command and restart the Certificate service,

certutil -setreg ca\csp\CNGHashAlgorithm SHA256


Now we have successfully migrated, restart the Certificate Service using the below command

Restart-service certsvc

Once restarted, you can see now that Subordinate CA HASH Algorithm is migrated to SHA-256.Herein Certificate of the Subordinate still has with SHA1.


Step 2: Renew the Subordinate CA Certificate with SHA-256.

Since it is Certificate Algorithm change, You need to get the new certificate with SHA-256.

Right click on Subordinate CA–>All Tasks –> Click on Renew CA Certificate


Select Yes and Click on YES


If you’re ROOT-CA is reachable and in network, you can directly request from the Subordinate CA, ROOT-CA is not in network and offline, You need to take the request file and manually get the certificate and copy the file to the Subordinate CA. In my case, ROOT-CA is reachable,Hence i have requested directly.


Now, the Subordinate CA Certificate also in the SHA-256 hash Algorithm.


So now ROOT-CA and Subordinate CA both are migrated and supports for SHA-256 Algorithm. hereafter the issuing Certificates from the infra will be in the SHA-256.

27 views0 comments

Recent Posts

See All

Error 400 Bad Request when connecting ADFS Services

Noticed Error 400 Bad request in ADFS when trying to reach adfs services for authentication. ideally it happens if created CNAME record for ADFS Services. ADFS Will not support mapping the CNAME Recor


bottom of page