SOLVED – Migrating from SHA1 to SHA2 your CA and much more

Posted on by dpejic

I had a 2008 R2 CA enterprise root server with SHA1, I could not issue a certificate with sha2 becaus root certificate not support that.

So I had to switch / migrate to the new algorithm, and in that process i also migrate CA to win 2016 server.

For switch migrate only sha1 to SHA2 on existing 2008 server you only need to execute this command and renew root CA certificate

cmd> CERTutil -setreg ca\csp\CNGHashAlgorithm SHA256

and

Slikovni rezultat za renew ca certificateSlikovni rezultat za renew ca certificate

 

For migrate CA server to win 2016 server use this tutorial

Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2


For other issue regarding CA like ssl for enrollment page, create SHA2 CSR file on windows server to request SSL cert use some of these links


  1. https://www.petri.com/enable-https-certificate-authority-web-enrollment-windows-server-2008-2012
  2. https://www.day.ir/en-us/articles/ssl/create-csr-sha2-algorithm
  3. https://blogs.technet.microsoft.com/canitpro/2014/11/11/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2/
  4. https://social.technet.microsoft.com/Forums/ie/en-US/dc23cde8-089a-46ca-9238-0eb2fe29447f/error-parsing-request-the-request-subject-name-is-invalid-or-too-long-when-trying-to-create-a?forum=winserversecurity

 


  0 people found this article useful

dpejic has written 85 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>