6/20/2015

MigratingyourCertificationAuthorityHashingAlgorithmfromSHA1toSHA2AsktheDirectoryServicesTeamSiteHomeTechNetBlogs

All About
Windows Server

Cloud Platform
Blogs

Datacenter
Management

Client
Management

Virtualization,
VDI & Remote
Desktop

File & Storage &

High Availability

Windows Server
Management

Identity & Access

Ask the Directory Services Team

Microsoft's official enterprise support blog for AD DS and more

Migrating your Certification Authority Hashing Algorithm from

SHA1 to SHA2
Jason Bender [MSFT]

1 Apr 2015 4:14 PM

Hey all, Rob Greene here again. Well its been a very long while since I have written anything for the AskDS blog. Ive been
heads down supporting all the new cool technology from Microsoft.
I wanted to see if I could head off some cases coming our way with regard to the whole SHA1 deprecation that seems to
be getting talked about on all kinds of PKI related websites. I am not discussing anything new about Microsoft SHA1
deprecation plans. If you want information on this topic please look at the following link: SHA1 Deprecation Policy
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1deprecationpolicy.aspx
It does appears that some Web browsers are on a faster timeline to not allow SHA1 certificates as Goggle Chrome has
outlined in this blog: http://blog.chromium.org/2014/09/graduallysunsettingsha1.html
So as you would suspect, we are starting to get a few calls from customers wanting to know how to migrate their current
Microsoft PKI hierarchy to support SHA2 algorithms. We actually do have a TechNet article explaining the process.
Before you go through this process of updating your current PKI hierarchy, I have one question for you. Are you sure that
all operating systems, devices, and applications that currently use internal certificates in your enterprise actually support
SHA2 algorithms?
How about that ancient Java based application running on the 20 year old IBM AS400 that basically runs the backbone of
your corporate data? Does the AS400 / Java version running on it support SHA2 certificates so that it can do LDAPS calls
to the domain controller for user authentication?
What about the old version of Apache or Tomcat web servers you have running? Do they support SHA2 certificates for the
websites they host?
You are basically going to have to test every application within your environment to make sure that they will be able to do
certificate chaining and revocation checking against certificates and CRLs that have been signed using one of the SHA2
algorithms. Heck, you might remember we have the following hotfixs so that Windows XP SP3 and Windows Server 2003
SP2 can properly chain a certificate that contains certification authorities that were signed using SHA2 algorithms.
Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008based certification
authority CA if the CA is configured to use SHA2 256 or higher encryption
http://support.microsoft.com/kb/968730/ENUS
Applications that use the Cryptography API cannot validate an X.509 certificate in Windows Server 2003
http://support.microsoft.com/kb/938397/ENUS
Inevitably we get the question What would you recommend Microsoft? Well that is really a loaded question since we
have no idea what is in your vast enterprise environment outside of Microsoft operating systems and applications. When
this question comes up the only thing that we can say is that any currently supported Microsoft operating system or
application should have no problems supporting a certificate chain or CRL signed using SHA2 algorithms. So if that is the
only thing in your environment you could easily follow the migration steps and be done. However, if you are using a
Microsoft operating system outside of main stream support, it most likely does not support SHA2 algorithms. I actually
had a customer ask if Windows CE supported SHA2; which I had to tell him it does not. Who knew you guys still ran those
things in your environments!
If you have any 3rdparty applications or operating systems, then I would suggest you look on the vendors website or
contact their technical support to get a definitive answer about support for SHA2 algorithms. If you are using a product
that has no support then you might need to stand up a SHA2 certificate chain in a lab environment and test the product.
Once a problem has been identified you can work with that vendor to find out if they have a new version of the
application and/or operating system that supports SHA2 or find out when they plan on supporting it.
If you do end up needing to support some applications that currently do not support SHA2 algorithms, I would suggest
that you look into bringing up a new PKI hierarchy alongside your current SHA1 PKI hierarchy. Slowly begin migrating
SHA2 supported applications and operating systems over to the new hierarchy and only allow applications and operating
systems that support SHA1 on the existing PKI hierarchy.
Nah, I want to do the migration!
So if you made it down to this part of the blog you either actually want to do the migration or curiosity has definitely got
the better of you, so lets get to it. The TechNet article below discusses how to migrate your private key from using a
Cryptographic Service Provider CSP which only supports SHA1 to a Key Storage Provider KSP that supports SHA2
algorithms:
Migrating a Certification Authority Key from a Cryptographic Service Provider CSP to a Key Storage Provider KSP
http://technet.microsoft.com/enus/library/dn771627.aspx
In addition to this process, I would first recommend that you export all the private and public key pairs that your
Certification Authority has before going through with the steps outlined in the above TechNet article. The article seems to
assume you have already taken good backups of the Certification Authorities private keys and public certificates.
Keep in mind that if your Certification Authority has been in production for any length of time you have more than likely
renewed the Certification Authority certificate at least once in its lifetime. You can quickly find out by looking at the
properties of the CA on the general tab.

http://blogs.technet.com/b/askds/archive/2015/04/01/migratingyourcertificationauthorityhashingalgorithmfromsha1tosha2.aspx

1/2

6/20/2015

MigratingyourCertificationAuthorityHashingAlgorithmfromSHA1toSHA2AsktheDirectoryServicesTeamSiteHomeTechNetBlogs

When you change the hashing algorithm over to a SHA2 algorithm you are going to have to migrate all CA certificates to
use the newer Key Storage Providers if you are currently using Cryptographic Service Providers. If you are NOT using the
Microsoft Providers please consult your 3rdparty vendor to find out their recommended way to migrate from CSPs to
KSPs. This would also include those certification authorities that use Hardware Storage Modules HSM.

Steps 1 9 in the article further explain backing up the CA configuration, and then changing from CSPs over to KSPs. This
is required as I mentioned earlier, since SHA2 algorithms are only supported by Key Storage Providers KSP which was not
possible prior to Windows Server 2008 Certification Authorities. If you previously migrated your Windows Server 2003 CA
to one of the newer operating systems you were previously kind of stuck using CSPs.
Step 10 is all about switching over to use SHA2 algorithms, and then starting the Certification Authority back up.
So there you go. You have your existing Certification Authority issuing SHA2 algorithm certificates and CRLS. This does not
mean that you will start seeing the SHA256 RSA for signature algorithm or SHA256 for signature hash algorithm on the
certification authoritys certificates. For that to happen you would need to do the following:
Update the configuration on the CA that issued its certificate and then renew with a new key.
If it is a Root CA then you also need to renew with a new key.
Once the certification authority has been configured to use SHA2 hashing algorithms. not only will newly issued
certificates be signed using the new hashing algorithm, all the certification authorities CRLs will also be signed using the
new hashing algorithm.
Run: CertUtil CRL on the certification authority; which causes the CA to generate new CRLs. Once this is done double click
on one of the CRLs and you will see the new signature algorithm.

As you can tell, not only do newly issued end entity certificates get signed using the SHA2 algorithm, so do all existing
CRLs that the CA needs to publish. This is why you not only have to update the current CA certificate to use KSPs, you also
need to update the existing CA certificates as well as long as they are still issuing new CRLs. Existing CA certificates issue
new CRLs until they expire, once the expiration period has happened then that CA certificate will no longer issue CRLs.
As you can see, asking that simple question of can I migrate my current certification authority from SHA1 to SHA2 its
really not such an easy question to answer for us here at Microsoft. I would suspect that most of you are like me and
would like to err on the side of caution in this regard. If this was my environment I would stand up a new PKI hierarchy
that is built using SHA2 algorithms from the start. Once that has been accomplished, I would test each application in the
environment that leverages certificates. When I run into an application that does not support SHA2 I would contact the
vendor and get on record when they are going to start supporting SHA2, or ask the application owner when they are
planning to stop using the application. Once all this is documented I would revisit these end dates to see if the vendor has
updated support or find out if the application owner has replaced the application with something that does support SHA2
algorithms.
Rob Pass the Hashbrowns Greene
CA_properties.jpg

Tweet

38

Like

38

Share

Save this on Delicious

http://blogs.technet.com/b/askds/archive/2015/04/01/migratingyourcertificationauthorityhashingalgorithmfromsha1tosha2.aspx

2/2