SSL certificates encrypted with the Secure Hash Algorithm-1 (SHA-1) will be blocked after 2016.
Google Chrome has already started warning end users when they connect to a secure website using SSL certificates encrypted with the SHA-1 algorithm. You have to replace SHA-1 certificates that will expire after January 1, 2017 by the stronger SHA-2 certificates. And when ordering new SSL certificates, confirm with the CA that they issue certificates with the SHA-2 algorithm.
Configuring the Enterprise CAs to use the SHA-256 algorithm
If your organization has its own internal CA PKI, you have to ensure that it’s generating SHA-2 certificates.
Check which hash algorithm is being used:
- Right-click the CA and go to the General tab.
- If SHA-1 is listed, run the following certutil command to configure the CA to use the SHA-256 algorithm:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
The output will be like:
Old Value:
CNGHashAlgorithm REG_SZ = SHA1New Value:
CNGHashAlgorithm REG_SZ = SHA256
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.
- Restart the CertSvc service to apply the change.
Now when you view the CA properties, you’ll see that the hash algorithm is SHA-256.
- All future certificates issued by this CA will use SHA-256.
- Existing certificates will still use SHA-1. You need to renew any SHA-1 certificates issued by this CA to upgrade them to SHA-2 certificates.
If your CA is older than Server 2008 R2, you can’t upgrade the CA to use SHA-2. You’ll need to rebuild it with a newer version.
If your organization’s internal CA is multi-tiered with one or more subordinate CAs, you’ll need to reconfigure them to use SHA-2. This is done using the same certutil command just given on each subordinate or issuing CA.