<div>
Hi,<br />
<br />
Please refer to the steps advised in the below articles.<br />
<br />
<a href="https://support.symantec.com/en_US/article.TECH246255.html" rel="ugc">https://support.symantec.com/en_US/article.TECH246255.html</a><br />
<br />
<a href="https://itsalwaysmyproblem.com/2017/06/07/upgrading-windows-pki-from-sha1-to-sha2/" rel="ugc">https://itsalwaysmyproblem.com/2017/06/07/upgrading-windows-pki-from-sha1-to-sha2/</a><br />
<br />
Hope that helps.<br />
<br />
Thanks,<br />
Abhi...
</div>


Hi,

Please refer to the steps advised in the below articles.

https://support.symantec.com/en_US/article.TECH246255.html [https://support.symantec.com/en_US/article.TECH246255.html]

https://itsalwaysmyproblem.com/2017/06/07/upgrading-windows-pki-from-sha1-to-sha2/ [https://itsalwaysmyproblem.com/2017/06/07/upgrading-windows-pki-from-sha1-to-sha2/]

Hope that helps.

Thanks,
Abhi...

sara2000

<div>
So the SHA2 will not be effective until we &nbsp;PCs get new certificate? Is there anyway we can renew the PC's cert after SHA256 instead &nbsp;of waiting for the renewal period?
</div>


So the SHA2 will not be effective until we  PCs get new certificate? Is there anyway we can renew the PC's cert after SHA256 instead  of waiting for the renewal period?

<div>
SHA2 will not be effective until your CA certificate is renewed with SHA256 bit key<br />
Once you renewed CA cert with new algorithm, your clients can get certs with 256 bit key algorithm<br />
However clients will not trigger autoenrollment again before their renewal period starts<br />
U could revoke currently issued certs from CA console so that client will try to renroll new cert - test it 1st
</div>


SHA2 will not be effective until your CA certificate is renewed with SHA256 bit key
Once you renewed CA cert with new algorithm, your clients can get certs with 256 bit key algorithm
However clients will not trigger autoenrollment again before their renewal period starts
U could revoke currently issued certs from CA console so that client will try to renroll new cert - test it 1st

<div>
<div class="content wysiwyg-content">
I would like to upgrade our root &nbsp;CA from SHA1 to SHA256.<br />
I would appreciate if any help on this <br />
<br />
In particular, what would happen the existing issued certificates for computers. Server's and service accounts? Is it not disruptive upgrades?
</div>
</div>


I would like to upgrade our root  CA from SHA1 to SHA256.
I would appreciate if any help on this 

In particular, what would happen the existing issued certificates for computers. Server's and service accounts? Is it not disruptive upgrades?

Upgrade root .CA from SHA1

PKI CERTIFICATES

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.