Professional Documents
Culture Documents
How To Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 - Ammar Hasayen
How To Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 - Ammar Hasayen
Cryptographic APIs.
What this has to do with SHA-2?
Which provider my certification authority is using?
Is my certification authority capable of issuing SHA-2
certificates?
Migrate your certification authority from CSP to KSP:
Introduction.
Backup is your big hero.
How we are going to make your CA use KSP instead of CSP?
Migration deep dive.
If you are not sure what SHA-1 deprecation means, how it might affect
you, and whether you should do something about it, then kindly read my
SHA-1 deprecation blog post and continue reading here to learn what is
the next move.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 2 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
hashing algorithm from SHA-1 to SHA-2, let us pause for a minute and try
to picture where we want to be in terms of certification authority state.
That is, how a PKI hierarchy would look like, that is not affected by the
SHA-1 deprecation plans.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 3 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
Let me give you an example. A 2-tier PKI hierarchy has an offline root CA
and an online issuer CA [in a two-tier PKI hierarchy, the online issuer is
also considered an intermediate CA server]. The online issuer CA issues
end-entity certificates to users, computers and services.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 4 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
Here is what a PKI hierarchy might look like, in order to comply with the
SHA-1 deprecation plan.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 5 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
SHA-1 to SHA-2 3
Here is what a PKI hierarchy might look like, that is affected by the SHA-1
deprecation plan.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 6 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 7 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
This is my favorite approach, as you will not be touching your current PKI
hierarchy at all. Instead, you will establish a new hierarchy with a new root
CA, and design that new hierarchy to support SHA-2 from the start.
Gradually, you will start using the new hierarchy to issue all new
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 8 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
certificates, and perhaps replace old certificates issued from the old
hierarchy, with new certificates from the new one.
In this way, you could keep your old PKI hierarchy to support legacy
applications and devices that is not SHA-2 ready, while supporting SHA-
2 completely in the new hierarchy.
If you are a professional PKI expert, then you might want to create a
Certificate Policy (CP) document, for the adoption of SHA-2 and the
discontinuation of SHA-1.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 9 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
So, we can keep using the same root CA in our PKI hierarchy, but we
need to make it a smart root CA, that is, capable of doing SHA-2
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 10 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
operations.
You are still safe if your root CA is running Windows 2008 R2. Next you
must check the cryptographic provider for your root CA, and make sure it
is supporting SHA-2. Although the root CA certificate itself can be signed
with SHA-1, the root CA still need to sign the CRL and the new
Intermediate CA certificate request with SHA-2. You can know more
about how to check the CA cryptographic provider SHA-2 support and
how to upgrade to a provider that supports SHA-2 in this blog post. Now
you have your root CA supporting SHA-2.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 11 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
Cryptographic providers
Why it is a good thing to learn about this cryptographic provider thing,
while we are talking about SHA-2 and migration options? Well,
cryptographic providers play big role when it comes to supporting SHA-2
and the supported operating systems choice. Let me put it this way, your
choice to move away from SHA-1 to SHA-2 depends directly on the type
of cryptographic provider you are using in your environment.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 12 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
John does not need to worry about how to install a kitchen at his house,
he only calls the shop that suites his taste, and ask them to do the
installation. Each shop is specialized in installing a unique style and
capabilities of kitchens. Now Alice [another application], John’s neighbor
wants to install a kitchen at her house. She just need to pick a shop
[cryptographic provider], and she can rest assure that the kitchen will be
installed by professionals who know their job.
Cryptographic APIs
Applications also do not talk directly to these provider, they use an API to
do so. The original API that was used for this purpose is called Microsoft
Cryptography API (CryptoAPI), which is now being replaced by a new
version called Cryptography API: Next Generation (CNG).
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 14 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
As said before, there are two kinds of APIs that bridge communication
between applications and cryptographic providers. Let us talk a little bit
about these two APIs.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 15 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
Applications call the API (CryptoAPI), and that API calls one of the
Cryptographic Service Providers to do some cryptographic operations.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 16 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
It has kernel mode API that implements threat safety throughout the
stack, provides process isolation for its operations and extensive
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 17 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
auditing features.
Backward compatibility with algorithms supported by CryptoAPI.
Complies with FIPS 140.2 and supports the NSA Suite B
Cryptography.
Supports Elliptic curve cryptography (ECC) which is a new approach
for public key cryptography where smaller keys are used for same
level of security.
Supports SHA-2 family which is the most important thing I believe.
Another thing to notice here is that this API adds another layer of
abstraction. If you recall, the legacy CryptoAPI calls CSPs for both
cryptographic algorithm implementation and key storage. Well, this API is
built to talk to two specialized providers, one that can do only
cryptographic operations, and one that can only do key storage.
Simple enough, this API will call different providers when it comes to key
storage vs cryptographic algorithm operations. The below figure shows
this clearly.
In summary, we want to make sure we are using this new API, as it can
call cryptographic providers that support SHA-2 functionality.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 18 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 19 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
Two things we need to check here to ensure we can move to SHA-2 PKI
hierarchy:
You can see from the picture above, that the cryptographic provider is
Microsoft Strong Cryptographic Provider, which is as one of the CSPs
used by the legacy CryptoAPI. This is bad as we know this provider
cannot do SHA-2 operations. You can also note the hash algorithm in the
picture as SHA-1.
You can also confirm this information by running Certutil –store my <Your
CA common name>.
If you see in the below figure, you will see a CA using Microsoft
Software Key Storage Provider (one of the KSPs). You can also see the
hash algorithm as SHA256, which means that this CA will use SHA-2 to
sign CA CRLs, and sign certificate requests.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 22 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
Usually there are three steps that are needed to make your CA start using
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 23 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
As shown in the previous section, you can know which provider your CA
is running by inspecting the general properties of your CA from the
certification authority management console, or by running Certutil –store
my <Your CA common name>
Your provider should be one of the supported Key Storage Providers that
calls Cryptography API: Next Generation (CNG) and not the legacy
CryptoAPI CSPs. So if your CA cryptographic provider is one of those
KSPs: Microsoft Software Key Storage Provider or Microsoft Smart
Card Key Storage Provider, then you are good.
In summary:
Next, you need to configure your CA to start using using SHA-2 from now
on to sign CRLs and certificate requests. On the CA, in a Command
Prompt window, run the following command:
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 24 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
You might need to stop and restart the certificate services. Note also that
this will not affect already issued certificates previously, but will affect
any new issued certificate or CRL.
What about the CA certificate itself. You can check if it is using SHA-1 or
SHA-2 by opening the CA certificate, and checking the Signature Hash
Algorithm being used to sign the certificate.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 25 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
Accept the request to stop the Active Directory Certificate Service. You
can choose to generate a new signing key.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 26 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 27 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
Note: screenshots in this section is taken from Pierre Kennibol blog post.
Say for example you have a root CA running Windows 2003, and you
want to migrate that to Windows 2008 R2 operating system. You can
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 28 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
This blog post is dealing with say a CA running Windows 2012 R2, and
still using legacy CSP. We want to make this CA uses KSP instead. We are
not migrating or upgrading the O.S, we just want the same CA to use KSP
instead of CSP.
Introduction
Let us review what we know so far:
That’s it. You take care of those three things, and you can go to any
server, and re-build your CA in no time. You can read more about
certification authority backup in my previous blog post.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 30 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
This will make the private key stored on that temp server and using a KSP
provider. Now, we will immediately export that key from the temp server
by asking the KSP provider to give us the key back. It will do that, and we
will get a KSP compatible key. So, we started with a CSP compatible key,
and now we end up with a KSP compatible key, and the role of the
Windows 2012 R2 temp server is done now.
Finally, we will go with that KSP compatible key to our original CA server.
We want to make sure we deleted the private key from that CA first. Then
we will import the KSP compatible private key to our CA server using a
KSP provider.
the private key that is created using a legacy CSP, to a private key that is
KSP compatible. We do that by importing the private key that was
creating using legacy CSP, to the KSP provider on the temp server, and
then export it again right away.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 32 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
As you can see, the provider being used is a legacy CSP called:
Microsoft Strong Cryptographic Provider.
This means that the CA certificate private key is stored inside the
operating system using the Microsoft Strong Cryptographic provider,
which has specific technique in how to store keys.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 33 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
Now that you have exported the private key to C:\RootCA.P12 on the CA
server, go a head and copy it to the staging server.
After that, we need to delete the private key copy from the certification
authority server itself. To do that:
Stop-service certsvc
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 34 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
Cd cert:\localmachine\my
By using the first value that you identified earlier for the Cert Hash as
the certificate ID when you ran the Certutil command, now run the
following command to delete the certificate and private key:
Now if you open the Certificates MMC snap-in, and browse to the
Computer Certificate Store >Personal. You will see that the private key
of the CA certificate is deleted.
Instead of doing all these commands, you can just go to the Certificates
Computer Store>Personal, and manually deleting the CA certificate.
Do that for all CA private keys, in case your CA has more than one
certificates (the case when you renew your CA certificate).
Remember the private key of your CA from Step 1 that you stored
in C:\RootCA.P12, now move it to the staging server, and run the
following command to import the key to the KSP provider on the staging
server. Remember that the staging server does not have any roles
installed. You do not need to have CA installed in the machine to store
keys in KSP.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 35 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
When you are prompted for a password, enter the password that you
provided when you backed up your CA.
What just happened? we took a private key that was created using a
legacy CSP, and we called a KSP provider to store it on a Windows server.
This will cause the key to be stored and be compatible with KSP. This is
the whole magic. Now we will call KSP and ask it to export the key, and
then we will go to our CA server and call KSP on the CA server to import
it.
Now, we are still on the staging server, we will now call KSP to export the
new KSP compatible private key by running:
Certutil -exportpfx my <CA Common Name> <PFX file path for export>
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 36 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
Now that you have C:\NewCert.P12 , this is the private key of your CA in
the new KSP format if I may say that.
Now take that C:\NewCert.P12 from the staging server and copy it to
your CA server, and run the following on your CA server:
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 37 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
Now, we need to create couple of registry files and run them at the CA
server. Because it is extremely tricky to create a perfectly formatted
registry key, I do the following:
I prefer you go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Certsvc\C
onfiguration\<CA Common Name>\CSP Registry key, and export that key
to a registry file called E.Reg for example.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 38 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
[Windows Registry Editor Version XXX] , and delete anything else and
replace it with the below:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Config
"ProviderType"=dword:00000000
"Provider"="Microsoft Software Key Storage Provider"
"CNGPublicKeyAlgorithm"="RSA"
"CNGHashAlgorithm"="SHA1"
Now before you carry on, just let us confirm that the CA was using SHA-1
as hashing algorithm before importing this registry file. To confirm that,
run:
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 39 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
CALG_SHA1
Algorithm Class: 0x8000(4) ALG_CLASS_HASH
Algorithm Type: 0x0(0) ALG_TYPE_ANY
Algorithm Sub-id: 0x4(4) ALG_SID_SHA1
If you do not see SHA1 in your output, modify the CNGHashAlgorithm key
value in the file to have the appropriate name.
Now rename the E.Reg file to E2.Reg file, keep the header information
and delete anything else and replace it with:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Config
"ProviderType"=dword:00000000
"Provider"="Microsoft Software Key Storage Provider"
"CNGPublicKeyAlgorithm"="RSA"
"CNGEncryptionAlgorithm"="3DES"
"MachineKeyset"=dword:00000001
"SymmetricKeySize"=dword:000000a8
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 40 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
Before you save the file, confirm that you are using 3DES for the
encryption algorithm by running the following command:
Now that your CA is using CNG KSP, you can instruct the CA to use SHA-
2 whenever it signs something, like CRLs and certificate requests. To do
that, just run:
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 41 di 42
How to Migrate Your Certification Authority Hashing Algorithm From SHA-1 To SHA-2 | Ammar Hasayen 30/06/20, 10:29
References
-List of cryptographic providers and their supported functions.
https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/ Pagina 42 di 42