Changing AlternateSignatureAlgorithm to 0 on Internal CA
We're successfully using an Internal CA but have an issue with a single application that requires internal clients to use Firefox. Firefox does not like the certificate produced by the internal CA, and I believe this is due to AlternateSignatureAlgorith
The issue we have is described here:
Windows PKI certificates not trusted due to disabled insecure algorithm.
https://support.mozilla.org/en-US/questions/1237191
and here: https://social.technet.microsoft.com/Forums/en-US/eec01ac5-8524-42ac-b2d0-5d3722e077b8/alternatesignaturealgorithm-enabled-on-root-and-sub-cas-causing-issues?forum=winserversecurity
Based on these articles, the solution appears to be
This seems straightforward, but I am concerned as to the impact of doing this on existing services that require certificates. For example, we have numerous Direct Access clients - if their existing Direct Access connections fail due to a change on the CA, then they would not be able to connect in to pick up a renewed/resigned certificate.
Is anyone able to advise if this would be the case, or if we can make the changes without affecting existing services? If we did make the change and this happened, is there any way we'd be able to roll back (I.E. if we backed up the certificates on the CA before making the changes).
The issue we have is described here:
Windows PKI certificates not trusted due to disabled insecure algorithm.
https://support.mozilla.org/en-US/questions/1237191
and here: https://social.technet.microsoft.com/Forums/en-US/eec01ac5-8524-42ac-b2d0-5d3722e077b8/alternatesignaturealgorithm-enabled-on-root-and-sub-cas-causing-issues?forum=winserversecurity
Based on these articles, the solution appears to be
- Set AlternateSignatureAlgorith
m = 0 in CAPolicy.inf - Update the reg value of the same name here: HKLM\SYSTEM\CurrentControl
Set\Servic es\Certsvc \Configura tion\CANAM E\CSP to be 0 - Renew and resign all certificates
This seems straightforward, but I am concerned as to the impact of doing this on existing services that require certificates. For example, we have numerous Direct Access clients - if their existing Direct Access connections fail due to a change on the CA, then they would not be able to connect in to pick up a renewed/resigned certificate.
Is anyone able to advise if this would be the case, or if we can make the changes without affecting existing services? If we did make the change and this happened, is there any way we'd be able to roll back (I.E. if we backed up the certificates on the CA before making the changes).
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
First create a folder called CABackup (or whatever you need). Open Certification Authority>>Right click on the Org name>>All Task>>Backup CA>>Tick both "Private key and CA Certificates", "Certificate database and certificate database log">>Save this to the folder which you have created. Once completed, you are good to go with algorith changes.
Only hard thing is renewing all the existing certificates and re-assigning, rest of all should be fine.