Upgrading your Internal PKI Infrastructure from SHA1 to SHA2 – The Upgrade…

Now it’s time for the main event, the upgrade itself. Which as you’ll see is actually very simple. The key to this is ensuring your environment is ready, so please make sure the relevant information finding has been done and you know exactly what’s going to break or potentially break before continuing. (Which shouldn’t be a lot…)

Before we start, I’ve had a few messages following the previous blogs in regards to the difference between SHA2 and SHA256. Well to put it simply it’s the same thing. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. The most commonly referred to is SHA256 hence you sometimes see SHA256, other times SHa2.

Now, before we start PLEASE please please BACKUP your current CA and Private KEY of both the offline root CA and the and online issuing CA’s.

To take a backup, open up the ADCS console (in this example we are starting with the Root CA). Right click the server name, and select All Tasks > Back up CA.

Select both tick boxes, and enter a backup location.

On the next page enter a password.

Finally click finish to complete the backup.

If you now browse to the location you should see the CA and the cert DB as backed up.

Once you are sure you have a backup, it’s now time to move on to upgrading the algorithm to SHA256.

Run the following command:

• certutil -setreg ca\csp\CNGHashAlgorithm SHA256

You should see the output like above, and there you go. Job done. But hang on, I know I said it was easy but we aren’t there just yet.

Now the algorithm has been changed, we need to re-issue the root CA as a SHA2 certificate.

First start by restarting the ADCS Service.

Let’s go back in and check our current Root CA is still there and showing the old SHA1 algorithm still.

Head back to the ADCS console, and right click the server name and select All Tasks > Renew CA Certificate.

You will then be prompted with the following message.

A new window will now open asking you if you are sure you wish to renew. Click OK to renew (it’s up to you if you wish to renew the private key).

After you click OK you will wonder if anything’s actually happened… So right click the server name again and click properties.

And you should now see a newly issued certificate (if you’ve never renewed your CA before it will look like the below).

If we view the certificate details we should now see it shows SHA256.

We can now export this CA ready to be imported via Group Policy to populate it to the environment.

Finally, we also need to update the CRL so run the following command:

• certutil -crl

This will republish the CRL as SHA2.

We also now need to copy the new files to the location you have your CRL setup to point to:

Once the above has completed, open up your GPO and import the new Root CA Certificate.

We should now have two presented. I would not recommend removing the old one *just* yet…

Save the GPO and allow time for the GPO to re-apply. If we now check the store on a domain joined computer or server we should see two Root CA Certs, with one of them being the new SHA2 certificate:

This completes the necessary steps to upgrade the Root CA. You now need to just replicate that for your sub CA’s.

To assist, and also help provide some scenarios, I’m also going to upgrade the SSL issuing CA.

Once again, make sure you have a BACKUP and follow the same procedures to renew the CA.

Now please remember, until we re-new this certificate the sub CA’s OWN certificate is still SHA1.

Request a renewal and export the cert request to the offline root CA (click cancel on the prompt and it will create the request on your default location).

Import the certificate and issue the new Sub CA certificate.

Checking the details of the certificate we can see it’s now a SHA2 issues certificate.

We now need to import this on to the sub CA, so right click > All tasks > Install CA certificate.

The new certificate will now install.

Like with the root CA, we now have a new certificate. If you open up the certificate you will see it’s our new certificate.

And let’s check the cert path to ensure its fully trusted.

Once again, add this certificate to any relevant GPO.

Now we have updated the Issuing CA certificate we can upgrade the Issue CA to SHA2.

Once again run the following:

• certutil -setreg ca\csp\CNGHashAlgorithm SHA256

There you have it your Root CA and Sub CA’s are now all updated and ready to issue new SHA2 certificates.

This completes the SHA1 to SHA2 upgrade, however for the final post Ii’ll be showing you what clients will see from an end user point of view whilst you are in-between SHA1 and SHA2 deployments, which will hopefully answer some of the questions you’ve sent in already.