Browsed by
Month: August 2015

Migrate Microsoft Certification Authority to SHA-2 Algorithm

Migrate Microsoft Certification Authority to SHA-2 Algorithm

Microsoft is announcing a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2. Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity.

But remember, before planning this migration you will have to test every application within your environment to make sure that they will be able to do certificate chaining and revocation checking against certificates and CRLs that have been signed using the SHA2 algorithms. Moreover, Windows Server 2003 and Windows XP clients cannot obtain certificates from a Certification Authority if its configured to use SHA-2 256 or higher encryption until you apply this hotfix.

Once planning phase is completed, you need to follow these steps to migrate your CA from SHA1 to SHA2. First, you can confirm that your CA is currently using SHA-1 by opening Certification Authority MMC and looking at properties of your root certificate.

It’s always a good idea to backup your CA database and registry keys before migrating your encryption algorithm.

When your CA is fully backup, you can move to the migration step. To change hash algorithm version you just need to run a PowerShell command and restart CA service.

Your Certification Authority is now issuing certificate using SHA256, but your current certificate is still as SHA-1 hash algorithm. So you have to renew CA certificate and generate a new signing key.

Now you can confirm that your root certificate is using SHA256 looking at detail.

Then, you need to verify that the certificate revocation list publishes and has the correct signature algorithm and signature hash algorithm. First, publish the certificate revocation list (CRL) by running the following command.

Then, go to %windir%\system32\CertSrv\CertEnroll and locate the CRL files. Normally you should see this kind of display for each CRL files.

Error: Failed while creating virtual Ethernet switch

Error: Failed while creating virtual Ethernet switch

If you encounter the error Failed while creating virtual Ethernet switch with Invalid class string as an explanation, it means that you need to repair some DLL on your OS.

To resolve this issue you will have to use System File Check tool that is built into the Operating System to look for system file corruption. (Keep in mind it is always a good idea to have a backup of your data). Follow these steps to launch the repair process:

  • Start a CMD as Administrator
  • If you want to verify and repair the OS type : sfc /scannow
  • If you want to check (verify only) the OS type : sfc /verifyonly (no changes will be made and it will generate a report)
  • Reboot your system when the repair is successful
  • Try to create again your virtual switch in Hyper-V
Install Hyper-V role on an Hyper-V VM

Install Hyper-V role on an Hyper-V VM

In order to avoid the error message when you try to install Hyper-V role on a Hyper-V VM through GUI, you will have to run several Powershell commands:

  • First, you need to change your Powershell execution policy script to at least Remote Signed: Set-ExecutionPolicy RemoteSigned
  • Then you will have to install Hyper-V role: Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart
  • This step is to install Hyper-V management tools: Install-WindowsFeature RSAT-Hyper-V-Tools -IncludeAllSubFeature
  • (Optional) Finally, you can also install Failover Cluster and MPIO feature: Install-WindowsFeature RSAT-Clustering,Multipath-IO -IncludeAllSubFeature

Then you will just need to reboot your VM to complete the installation process. But don’t forget, you will be able to create an Hyper-V failover cluster and create highly available VM but you will not be able to start them.

Configure Agent Failover to Multiple SCOM Gateway Servers

Configure Agent Failover to Multiple SCOM Gateway Servers

First, you need to check that all certificates (see my previous article) are correctly configured. Then you have to connect on one of your management server or console server, open Operations Manager Shell and run the following command.

This command gives you all known Management Server or Gateway Server for a given Agent. Then if you want to reconfigure agent configuration with proper primary management server and failover management servers, run the following command.

You should run this command through a script to automatically configure your new agents or reconfigure existing ones.