**********OFFLINE ROOT CA PROCEDURE*****************

1. Delete AlternativeSignatureAlgorithm = 1 line from c:\windows\capolicy.inf file

2. Change the Reg Key

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\HDCPKIROOTCA00V\CSP]
"ProviderType"=dword:00000000
"Provider"="Microsoft Software Key Storage Provider"
"HashAlgorithm"=dword:00008004
"CNGPublicKeyAlgorithm"="RSA"
"CNGHashAlgorithm"="SHA1"
"AlternateSignatureAlgorithm"=dword:00000000
"MachineKeyset"=dword:00000001

3. Restart the Certsvc service

4. Launch Cert Authority Manager > All Tasks > Renew CA Certificate
******
NO you do NOT want to generate a new Key Pair!!!
******

5. You now have two certs in 

C:\Windows\System32\CertSrv\CertEnroll

6. Copy both Certs and the CRL File to a Floppy

**********INTERMEDIATE ROOT CA PROCEDURE*****************

1. Delete AlternativeSignatureAlgorithm = 1 line from c:\windows\capolicy.inf file.
2. Change the Reg Key.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\HDCPKIROOTCA00V\CSP]
"ProviderType"=dword:00000000
"Provider"="Microsoft Software Key Storage Provider"
"HashAlgorithm"=dword:00008004
"CNGPublicKeyAlgorithm"="RSA"
"CNGHashAlgorithm"="SHA1"
"AlternateSignatureAlgorithm"=dword:00000000
"MachineKeyset"=dword:00000001

3. Restart the Certsvc service.
4. Connect the floppy > Copy All files to c:\CertFiles.
5. Backup the original cert file (without the (1) on the end to a backup folder.
6. Rename the new crt, by taking (1) of the end.
7. Open an administrative command window and Issue the following commands (while in the certfiles folder).

certutil -dspublish -f {root-certificate-name}.crt RootCA
certutil –addstore –f root {root-certificate-name}
certutil –addstore –f root {CRL-name}.crl
certutil -dspublish  {CRL-name}.crl

8. Now we need to renew the intermediate cert
9. Launch Cert Authority Manager > All Tasks > Renew CA Certificate
******
NO you do NOT want to generate a new Key Pair !!!

10. When asked what CA to submit the request to it should say the request is on the C: Drive (probably with a (1) on it.)

{domain_servername}(1).req

11. Put that on the floppy and take it to the Offline Root CA

***On the OFFLINE ROOT CA***

certreq -submit "A:\{domain_servername}(1).req"

12. Select OK to use the Offline CA.
13. TAKE NOTE off the Request ID (i.e. 5).
14. Launch the Cert Authority management Console > Pending Requests > Issue that request ID you noted above.
15. Go to Issued Certificates and make sure the Signature algorithm is sha1RSA.
16. Back at CLI retrieve the cert with the following command (change the issue number from 5 to match the one you are working on!)

certreq -retrieve 5 A:\{domain_servername}(1).crt

17. Make sure it's on the floppy is valid and has the correct Signature Algorithm.
18. Move the floppy back to the Intermediate server.

***On the INTERMEDIATE ROOT CA***

19. Complete the CA Registration > Launch the Cert Authority management Console > Right click Server name > All Tasks > Install Ca Certificate > Complete the CA and browse to the new crt file.
20. Go To C:\Windows\System32\CertSrv\CertEnroll backup {domain_servername}.crt
21. Rename {domain_servername}(1).crt to {domain_servername}.crt
22. Open an administrative command window, and Issue the following commands;

cd C:\Windows\System32\CertSrv\CertEnroll
certutil -dspublish -f {domain_servername}.crt SubCA
certutil –addstore –f root {domain_servername}.crt
certutil –addstore –f root {CRL-name}.crl
certutil -dspublish {CRL-name}.crl

23. Restart the Certsvc service.

**********ISSUING ROOT CA PROCEDURE*****************

1. Delete AlternativeSignatureAlgorithm = 1 line from c:\windows\capolicy.inf file.
2. Change the Reg Key.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\HDCPKIROOTCA00V\CSP]
"ProviderType"=dword:00000000
"Provider"="Microsoft Software Key Storage Provider"
"HashAlgorithm"=dword:00008004
"CNGPublicKeyAlgorithm"="RSA"
"CNGHashAlgorithm"="SHA1"
"AlternateSignatureAlgorithm"=dword:00000000
"MachineKeyset"=dword:00000001

3. Restart the Certsvc service.

4. Launch Cert Authority Manager > All Tasks > Renew CA Certificate.
******
NO you do NOT want to generate a new Key Pair!!!

5. Submit the request to the 'upstream CA'.
6. When it comes back up check it has the correct Signature Algorithm.
7. As before go to go To C:\Windows\System32\CertSrv\CertEnroll.
8. Backup the original > Rename the (1) to the original again.
9. Open an administrative command window, and Issue the following commands;

cd C:\Windows\System32\CertSrv\CertEnroll
certutil -dspublish -f {domain_servername}.crt SubCA
certutil –addstore –f root {domain_servername}.crt
certutil –addstore –f root {CRL-name}.crl
certutil -dspublish {CRL-name}.crl

23. Restart the Certsvc service.
24. Run ‘Gpupdate /force'
25. Launch Cert Authority Manager > Right click server name > Properties > check the full certificate chain 
26. Repeat Above for the any other issuing servers
27. Remove NDES
28. Remove RA Certs from the NDES Server
29. Reinstall NDES