<div>
1) you can, if you do old certificates can still be valid. (then the root ca is &quot;renewed&quot;.<br />
&nbsp;there is no need to... new Root key does mean all keys stil alive that are signed by the old key will need resigning as well.<br />
(unless you start a new root, new id etc. then they can live in parallel until you revoke the old root).<br />
<br />
2. should not happen if old CA key is reissued identically (signing still matches), ID's are the same.<br />
&nbsp; &nbsp; if there is a parallel certificate it is just like switching from CA root. As log as both root can be verified the both should work.<br />
<br />
My question to you .... just to practice all the situations on your site, why not try this in &nbsp;with lab system...<br />
That will also provide you with the training you need for transition and when to do what and how long actions take.<br />
As wel as provide a chance to exercise.
</div>


<div>
Thanks Noci.<br />
I am using Microsoft hands-on-lab. I issued the command below on the cert server.<br />
PS&gt;Certutil -setreg ca\csp\CNGHashalgorithm SHA256 and noticed the Certificate#0 has been changed from SHA1 to SHA256.<br />
Does this mean i do not need to renew the root CA's certificate and future client's certificate will be SHA256?
</div>


<div>
I have no windows systems..., x509 certificates work in a certain way... i have no idea how the Microsoft Cert server works and what is available or not. or how it needs to be configured....<br />
<br />
For certificates to be recognized they must be in some way be &quot;trusted&quot;. On unix systems that is they must be in the /etc/ssl/certs directory together with a &nbsp;symlink &nbsp;to it of the fingerprint.<br />
In Java they need to be added to the trusted store, i guess Windows also has a trusted store. &nbsp;(on each system that must be able to verify the CA root)... that is all systems that use the current Certificate.
</div>


sara2000

<div>
Thank you for the reply. <br />
I am working on a lab server. I am trying to renew the root CA with the same key pair after I upgraded signature-algorithm but, I do not get the new root certificate, if I renew the certificate with the new key pair then I get a new root certificate. I am not sure why I cannot create a new cert with the same key.<br />
Will there any issue if I create the new root certificate with the new key?
</div>


<div>
You cannot upgrade algorithm and renew using same key.
</div>


<div>
I have seen couple of articles and they mentioned either use same key or new key.<br />
Here is the Microsoft article which must have been verified.<br />
<a href="https://blogs.technet.microsoft.com/askds/2015/10/26/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy/" rel="ugc">https://blogs.technet.microsoft.com/askds/2015/10/26/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy/</a><br />
<br />
&quot;Renewing the CA’s own certificate with a new or existing (same) key would depend on the remaining validity of the certificate. If the certificate is at or nearing 50% of its lifetime, it would be a good idea to renew with a new key. See the following for additional information on CA certificate renewal –&quot;<br />
Also<br />
The link below does either.<a href="https://support.symantec.com/en_US/article.TECH246255.html" rel="ugc">https://support.symantec.com/en_US/article.TECH246255.html</a>
</div>


<div>
So there you go. You have your existing Certification Authority issuing SHA2 algorithm certificates and CRLS. This does not mean that you will start seeing the SHA256 RSA for signature algorithm or SHA256 for signature hash algorithm on the certification authority’s certificates. For that to happen you would need to do the following:<br />
<br />
· Update the configuration on the CA that issued its certificate and then renew with a new key.<br />
<br />
· If it is a Root CA then you also need to renew with a new key.<br />
<br />
from this blog: <a href="https://blogs.technet.microsoft.com/askds/2015/04/01/migrating-your-certification-authority-hashing-algorithm-from-sha1-to-sha2/" rel="ugc nofollow">https://blogs.technet.microsoft.com/askds/2015/04/01/migrating-your-certification-authority-hashing-algorithm-from-sha1-to-sha2/</a><br />
<br />
if you create with a new key, the only thing you need to make sure, is that the root certificate is published to a valid AIA location
</div>


<div>
Soory for my lack of knowledge.<br />
&quot;Update the configuration on the CA that issued its certificate and then renew with a new key.&quot;<br />
Is that certutil Certuti -setreg ?
</div>


<div>
ah .... i probably was a bit short on that last message<br />
<br />
do this to change to SHA256<br />
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
</div>


<div>
Thanks Jacob.<br />
Should I run certutil &nbsp;-crl at the end?I appreciate your help.
</div>


<div>
<div class="content wysiwyg-content">
We have a root Ent CA root server with SHA1 and Key Storage provider (KSP) running on Windows 2012 R2. We are planing to move it from SHA1to SHA2. I have couple of questions hope someone shed the light on it.<br />
Right now, We have root cert certificate#0 with SHA1. &nbsp;i guess that we have to renew the root certificate for SHA2 for future clients certificates &nbsp;by issuing &nbsp;Certutil -setreg ca\csp\CNGHashalgorithm SHA256 ,<br />
1. Will this command change certificate#0 to 256 from SHA1 or I have to renew root CA and get certificate#1 ?<br />
<br />
2. We have a authentication server with SHA1 cert , will there be any issue if a user's &nbsp;PC get renewed with SHA2 certificate before the authentication server?
</div>
</div>


We have a root Ent CA root server with SHA1 and Key Storage provider (KSP) running on Windows 2012 R2. We are planing to move it from SHA1to SHA2. I have couple of questions hope someone shed the light on it.
Right now, We have root cert certificate#0 with SHA1.  i guess that we have to renew the root certificate for SHA2 for future clients certificates  by issuing  Certutil -setreg ca\csp\CNGHashalgorithm SHA256 ,
1. Will this command change certificate#0 to 256 from SHA1 or I have to renew root CA and get certificate#1 ?

2. We have a authentication server with SHA1 cert , will there be any issue if a user's  PC get renewed with SHA2 certificate before the authentication server?

SHA1 to SHA256

Public Key Infrastructure (PKI)

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.