SHA1 to SHA256

We have a root Ent CA root server with SHA1 and Key Storage provider (KSP) running on Windows 2012 R2. We are planing to move it from SHA1to SHA2. I have couple of questions hope someone shed the light on it.
Right now, We have root cert certificate#0 with SHA1.  i guess that we have to renew the root certificate for SHA2 for future clients certificates  by issuing  Certutil -setreg ca\csp\CNGHashalgorithm SHA256 ,
1. Will this command change certificate#0 to 256 from SHA1 or I have to renew root CA and get certificate#1 ?

2. We have a authentication server with SHA1 cert , will there be any issue if a user's  PC get renewed with SHA2 certificate before the authentication server?
LVL 2
sara2000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
1) you can, if you do old certificates can still be valid. (then the root ca is "renewed".
 there is no need to... new Root key does mean all keys stil alive that are signed by the old key will need resigning as well.
(unless you start a new root, new id etc. then they can live in parallel until you revoke the old root).

2. should not happen if old CA key is reissued identically (signing still matches), ID's are the same.
    if there is a parallel certificate it is just like switching from CA root. As log as both root can be verified the both should work.

My question to you .... just to practice all the situations on your site, why not try this in  with lab system...
That will also provide you with the training you need for transition and when to do what and how long actions take.
As wel as provide a chance to exercise.
sara2000Author Commented:
Thanks Noci.
I am using Microsoft hands-on-lab. I issued the command below on the cert server.
PS>Certutil -setreg ca\csp\CNGHashalgorithm SHA256 and noticed the Certificate#0 has been changed from SHA1 to SHA256.
Does this mean i do not need to renew the root CA's certificate and future client's certificate will be SHA256?
nociSoftware EngineerCommented:
I have no windows systems..., x509 certificates work in a certain way... i have no idea how the Microsoft Cert server works and what is available or not. or how it needs to be configured....

For certificates to be recognized they must be in some way be "trusted". On unix systems that is they must be in the /etc/ssl/certs directory together with a  symlink  to it of the fingerprint.
In Java they need to be added to the trusted store, i guess Windows also has a trusted store.  (on each system that must be able to verify the CA root)... that is all systems that use the current Certificate.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Jakob DigranesSenior ConsultantCommented:
1. After you've upgraded signature-algorithm, you need to reissue root certificate
2. as long you've done the process correctly - your SHA1 certs will still be valid, however you should reissue server and client certs as soon as possible.
- before you upgrade root - remember to issue a CRL with validity as long as the newest SHA1 certificate, and don't remove SHA1 root certificate from AIA paths, let it live side-by-side with SHA256 certs

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sara2000Author Commented:
Thank you for the reply.
I am working on a lab server. I am trying to renew the root CA with the same key pair after I upgraded signature-algorithm but, I do not get the new root certificate, if I renew the certificate with the new key pair then I get a new root certificate. I am not sure why I cannot create a new cert with the same key.
Will there any issue if I create the new root certificate with the new key?
Jakob DigranesSenior ConsultantCommented:
You cannot upgrade algorithm and renew using same key.
sara2000Author Commented:
I have seen couple of articles and they mentioned either use same key or new key.
Here is the Microsoft article which must have been verified.
https://blogs.technet.microsoft.com/askds/2015/10/26/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy/

"Renewing the CA’s own certificate with a new or existing (same) key would depend on the remaining validity of the certificate. If the certificate is at or nearing 50% of its lifetime, it would be a good idea to renew with a new key. See the following for additional information on CA certificate renewal –"
Also
The link below does either.https://support.symantec.com/en_US/article.TECH246255.html
Jakob DigranesSenior ConsultantCommented:
So there you go. You have your existing Certification Authority issuing SHA2 algorithm certificates and CRLS. This does not mean that you will start seeing the SHA256 RSA for signature algorithm or SHA256 for signature hash algorithm on the certification authority’s certificates. For that to happen you would need to do the following:

· Update the configuration on the CA that issued its certificate and then renew with a new key.

· If it is a Root CA then you also need to renew with a new key.

from this blog: https://blogs.technet.microsoft.com/askds/2015/04/01/migrating-your-certification-authority-hashing-algorithm-from-sha1-to-sha2/

if you create with a new key, the only thing you need to make sure, is that the root certificate is published to a valid AIA location
sara2000Author Commented:
Soory for my lack of knowledge.
"Update the configuration on the CA that issued its certificate and then renew with a new key."
Is that certutil Certuti -setreg ?
Jakob DigranesSenior ConsultantCommented:
ah .... i probably was a bit short on that last message

do this to change to SHA256
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
sara2000Author Commented:
Thanks Jacob.
Should I run certutil  -crl at the end?I appreciate your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Public Key Infrastructure (PKI)

From novice to tech pro — start learning today.