Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

KB ID 0001244 Dtd 12/10/16


This is pretty much PART TWO of two posts addressing the need to migrate away from SHA1 before February 2017. Back in PART ONE we looked at how to upgrade the ROOT CA. It does not matter if it’s an offline or online root CA the process is the same. In many organisations their PKI is multi tiered, they either have a RootCA <> SubCA, or a ROOTCA <> IntermediateCA <> IssuingCA. (which is actually two SubCA’s).


Below I’ll run though the process to upgrade the SubCA once the RootCA has already been done, Ill also look at how that’s going to affect things like NDES (Network Device Enrolment System).


Before we think about SubCA’s the RootCA needs to be upgraded first, if it’s offline bring it online and follow the steps outlined in the previous article.

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

So your RootCA will now look like this before we start;

Root CA Using SHA256

Note: If it’s normally offline leave it on, (we need it to issue the SubCA certificate).

The command to change the CA from SHA1 to SHA256 is the same one we used on the RootCA, you will then need to restart the Certificate Services.

certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net stop certsvc
net start certsvc

Sub CA Using SHA256

As with the RootCA, we need to re-generate the CA certificate.

Sub CA Renew CA Cert


If your RootCA is online, and an Enterprise CA, you can submit the request directly to it, and skip the next few steps, but let’s take the ‘worst case’ scenario, and assume our Root CA is offline, (and even when online has no network connections) we have to do the submission manually, (via floppy disk).

Floppy Disks? What Year Is This? Well moving files between virtual machines is simple using virtual floppy disks, if you have physical machines, then you need to go hunting in drawers and cupboards!

Either way, we are doing this manually so select CANCEL.

 Sub CA Offline Cert Request

Copy your certificate request from the root of the system drive to your floppy drive.

Sub CA create Cert Request

Then present the floppy to your RootCA, and issue the following command;

certreq -submit "A:\02-SUB-CA.cabench.com_cabench-02-SUB-CA-CA.req"

You will be given a ‘RequestID‘, write it down, (you will need it in a minute). Leave the command window open!

Sub CA submit Cert Request

In the Certificate Services Management Console > Open ‘Pending Requests’ > Locate the RequestID number you noted above, and issue the certificate.

Sub CA Issue Cert Request

Back at your command window, retrieve the certificate with the following command, (use the RequestID again);

certreq -retrieve 4 “A:\02-SUB-CA.cabench.com_cabench-02-SUB-CA-CA.crt

008 - Sub CA Retrieve Cert Request

 Take your floppy back to the SubCA, and install the certificate. (Change file types to ‘All Files’).

Sub CA Install CA Cert

Now your SubCA is using a SHA256 certificate.

Sub CA Upgraded to Sha256

Repeat the process for any further SubCA’s


I Use NDES How Will That Be Affected?


Having had problems with certificates and NDES before, I was concerned about this the most, because I have to look after a lot of Cisco equipment, that gets certs from NDES, (or SCEP if you prefer). I’m happy to say NDES worked fine with SHA256 certificates. Below I successfully issued certs to a Cisco ASA (Running 9.2(4)).

NDES and Sha256 Cisco ASA


NDES and Sha256

Related Articles, References, Credits, or External Links

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

Windows Server 2012 – Install and Configure NDES

Cisco ASA – Enrolling for Certificates with NDES

Cisco IOS – Enrolling for Certificates with NDES

Author: PeteLong

Share This Post On


  1. Hi,
    I have RADIUS authentication using computer certificates deployed with auto enroll. Will these affected by migration from SHA1 to SHA2? Should I revoke the already deployed certificates and issue new ones?

    Post a Reply
    • No already issued certificated are still trusted, because the older less secure CA certificate is still in date, and still trusted.

      Post a Reply
  2. Hi, I have a question regarding Cisco ASA using NDES/SCEP with our internal CA. We are looking to migrate our two-tier PKI to SHA256. But before we do we need to make sure we can still validate the already issued SHA1 client/user certificates on the field devices that connect to the Cisco ASA. My understanding is that I’ll need to import the new SHA256 signed CA certificates (Root & SubCA) into the ASA trustpoint. But I don’t think the new CA certs will be able to validate the previous SHA1 client certs on the field devices. Or can it still be validated if I renew the CA certs with the same key pair?

    Another option is to build a parallel PKI with SHA256 to issue new SHA256 signed certs and leave the old PKI for existing SHA1 certs. Then I would add another trustpoint on the ASA for issuing new SHA256 certs. Is the ASA smart enough to know which trustpoint to use to validate and authenticate client/user?

    And would you have any articles or references on how to configure the Windows domain/environment to have two Enterprise PKIs? Obviously the old SHA1 is there solely to validate/authenticate while the new SHA2 is the only one that will issue certificates for the enterprise.

    Really appreciate your help!


    Post a Reply
    • I have not done this, so I can’t comment, but I would urge you to build it in EVE-NG and test it first!


      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *