Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

Here we can see my CA server is using SHA1

Note: If your server says the provider is Microsoft Strong Cryptographic Provider and not Microsoft Software Key Storage Provider then skip down a bit.

Offline Root CA Vanilla

You may have multiple Certificates (that is not unusual).

Open a PowerShell Window (run as administrator), issue the following command;

certutil -setreg ca\csp\CNGHashAlgorithm SHA256


Change to Sha256

Restart Certificate Services.

net stop certsvc
net start certsvc


Restart Certificte Services

Now you need to generate a new CA certificate.

Renew CA Certificate

Now you can see your new cert is using SHA256.

Change CA to Sha256

Leave a Reply

Your email address will not be published. Required fields are marked *