Active Directory Certificate Services self-signed certificate. Chrome shows as unsupported because of being SHA-1.

Yashy used Ask the Experts™
Hi guys

I've just had to use the Active Directory Certificate Services to create a self-signed web certificate for our firewall. Our servers are Windows 2008 R2.

I've installed the certificate with a 2048 encryption, but now Google Chrome is having a hissy fit because it says that it is a SHA-1 and that it is untrusted.

Does the Windows 2008 R2 support SHA-2 at all? Or is this one of those doom day things that I can't do anything about unless i upgrade to Windows 2012R2?

Thanks for helping
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You need to enable support for internal SHA1 cert chains. This can be done via Chrome GPO settings.


There is no real push for internal CA's to move to SHA2, its more of an advisory for the public. Still a good idea if you can. As for upgrading your 2008 R2 CA to SHA2, you certainly can,but you might as well migrate off of 2008 R2 as its approaching end of life anyway.


The issue is that there's a lot of talk on central store of the .admx files. So for example, I have this location: \\uk.fc.local\SysVol\uk.fc.local\Policies

But I see a load of policies in there. I don't see a 'PolicyDefinitions' folder which is where everyone keeps saying I have to put these files into? Not making sense.

I appreciate the help.
Sr. Systems Administrator
OK, not sure what the GPO question has to do with Certificates but.... You will not see a PolicyDefinitions folder there until you make it. By default the folder holding the definitions is c:\windows\PolicyDefinitions. But to use new ADMX files, you need to create a folder called PolicyDefinitions in the Sysvol\<domain>\policies folder. Then copy the existing files and folders from c:\windows\PolicyDefinitions to that folder. this creates a central store so when you add new templates (admx and adml files), they will replicate to all DCs. Any new templates should be added to the central store when you download them.
The specifics are covered here.

  Also for your CA, I recommend you add a new Root CA running 2012r2 or 2016. then just remove the Templates from your current CA so it does not issue new ones. You will need to keep the old CA around until the issued certs expire. any new Certs, as long as your new CA is an enterprise root ca will come from it.  Trying to change your old CA to SHA2 seldom works right.
Top Expert 2016
that is your c:\windows\Policy Definitions folder and you copy the contents of that to “SYSVOL\<your domain>\Policies” folder on the domain controller.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial