What you’re looking for is that the Provider is Microsoft Storage Key Service Provider and that the Hash algorithm is SHA256. If it looks exactly like the following image, give yourself a pat on the back because you’re already done. Open your CA MMC, right-click the name of your CA, and click Properties.
The SHA-1 to SHA-256 upgrade isn’t very difficult-but that’s a conditional statement. These posts assume you have a base-level knowledge of Windows CAs and how the public key infrastructure (PKI) works. With SHA-1 on its way to deprecation, this is an important piece of work that you should perform sooner rather than later. Presumably, you are running a Windows certification authority (CA) and want to upgrade from SHA-1 to SHA-256. You need to know if this series of posts is for you. Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 5įirst things first.Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 4.Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 3ĭelete the certificate and crypto provider so they can be rebuilt as a KSP and SHA-256 solution.Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 2īack up your certification authority (CA) and test the script.Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 1Įxplore why you may need to perform this work, configure logging, and set up variables.Note This is a five-part series that includes the following posts: This script has only been tested on Windows Server 2012 and later.
I recently had the chance to work with Microsoft PFE, Mike MacGillivray, on an upgrade of some Windows certification authorities, and I want to share some information about it with you. You can find me on Twitter ( or on my blog, Working Sysadmin: Figuring stuff out at work. Hello! I’m Thomas Rayner, a proud Cloud & Datacenter Management Microsoft MVP, filling in for The Scripting Guy this week.
Summary: Thomas Rayner, Microsoft Cloud & Datacenter Management MVP, shows how to start the migration of a Windows certification authority from CSP to KSP and from SHA-1 to SHA-256.