Tuncay Sahin

ICT Engineer | Docent ICT & Trainer

SSL certificates encrypted with the Secure Hash Algorithm-1 (SHA-1) will be blocked after 2016.
Google Chrome has already started warning end users when they connect to a secure website using SSL certificates encrypted with the SHA-1 algorithm. You have to replace SHA-1 certificates that will expire after January 1, 2017 by the stronger SHA-2 certificates. And when ordering new SSL certificates, confirm with the CA that they issue certificates with the SHA-2 algorithm.

Configuring the Enterprise CAs to use the SHA-256 algorithm

If your organization has its own internal CA PKI, you have to ensure that it’s generating SHA-2 certificates.

Check which hash algorithm is being used:

  • Right-click the CA and go to the General tab.
  • If SHA-1 is listed, run the following certutil command to configure the CA to use the SHA-256 algorithm:

    certutil -setreg ca\csp\CNGHashAlgorithm SHA256

   The output will be like:

Old Value:
CNGHashAlgorithm REG_SZ = SHA1

New Value:
CNGHashAlgorithm REG_SZ = SHA256
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.

  • Restart the CertSvc service to apply the change.

Now when you view the CA properties, you’ll see that the hash algorithm is SHA-256.

  • All future certificates issued by this CA will use SHA-256.
  • Existing certificates will still use SHA-1. You need to renew any SHA-1 certificates issued by this CA to upgrade them to SHA-2 certificates.

If your CA is older than Server 2008 R2, you can’t upgrade the CA to use SHA-2. You’ll need to rebuild it with a newer version.
If your organization’s internal CA is multi-tiered with one or more subordinate CAs, you’ll need to reconfigure them to use SHA-2. This is done using the same certutil command just given on each subordinate or issuing CA.

Meer informatie

Voor meer informatie of voor een persoonlijk adviesgesprek kunt u altijd vrijblijvend contact met mij opnemen.