Microsoft is announcing a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2. Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity.
But remember, before planning this migration you will have to test every application within your environment to make sure that they will be able to do certificate chaining and revocation checking against certificates and CRLs that have been signed using the SHA2 algorithms. Moreover, Windows Server 2003 and Windows XP clients cannot obtain certificates from a Certification Authority if its configured to use SHA-2 256 or higher encryption until you apply this hotfix.
Once planning phase is completed, you need to follow these steps to migrate your CA from SHA1 to SHA2. First, you can confirm that your CA is currently using SHA-1 by opening Certification Authority MMC and looking at properties of your root certificate.
It’s always a good idea to backup your CA database and registry keys before migrating your encryption algorithm.
When your CA is fully backup, you can move to the migration step. To change hash algorithm version you just need to run a PowerShell command and restart CA service.
Your Certification Authority is now issuing certificate using SHA256, but your current certificate is still as SHA-1 hash algorithm. So you have to renew CA certificate and generate a new signing key.
Now you can confirm that your root certificate is using SHA256 looking at detail.
Then, you need to verify that the certificate revocation list publishes and has the correct signature algorithm and signature hash algorithm. First, publish the certificate revocation list (CRL) by running the following command.
Then, go to %windir%\system32\CertSrv\CertEnroll and locate the CRL files. Normally you should see this kind of display for each CRL files.