SOLVED – Migrating from SHA1 to SHA2 your CA and much more Posted on August 29, 2017 by dpejic I had a 2008 R2 CA enterprise root server with SHA1, I could not issue a certificate with sha2 becaus root certificate not support that. So I had to switch / migrate to the new algorithm, and in that process i also migrate CA to win 2016 server. For switch migrate only sha1 to SHA2 on existing 2008 server you only need to execute this command and renew root CA certificate cmd> CERTutil -setreg ca\csp\CNGHashAlgorithm SHA256 and For migrate CA server to win 2016 server use this tutorial Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2 For other issue regarding CA like ssl for enrollment page, create SHA2 CSR file on windows server to request SSL cert use some of these links https://www.petri.com/enable-https-certificate-authority-web-enrollment-windows-server-2008-2012 https://www.day.ir/en-us/articles/ssl/create-csr-sha2-algorithm https://blogs.technet.microsoft.com/canitpro/2014/11/11/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2/ https://social.technet.microsoft.com/Forums/ie/en-US/dc23cde8-089a-46ca-9238-0eb2fe29447f/error-parsing-request-the-request-subject-name-is-invalid-or-too-long-when-trying-to-create-a?forum=winserversecurity