SHA-1 Broken, Migrating to SHA-2

SHA-1 is broken, and there is bold moves from Microsoft to move away from SHA-1 after announcing their deprecation plan for SHA-1 on November 2013. If you want to know the whole story about SHA-1 and why it is being phased out by everyone, then read this blog post [PKI Certificate Services SHA-1 Deprecation]

I spent sometime reading and understanding the answer of the following questions:

Moving to a new blog

I am moving to a new blog format, please follow this link to continue reading 🙂

https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/

What makes a CA capable of issuing certificates that uses SHA-2?

This is the million dollars question:) We are talking about Microsoft Certification Authority Servers here.

  • The short answer is that this depends on the Cryptographic Provider that CA is using. And since each Windows version ships with specific set of providers, you may need to upgrade your CA to a newer version of Windows in order to support SHA-2.
  • Even if you are using a cryptographic provider that supports SHA-2, you need to instruct the CA to use SHA-2 for future signing requests.

Check these posts to help you get more familiar about this topic:

Moving to a new blog

I am moving to a new blog format, please follow this link to continue reading 🙂

https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/

SHA-2 Support – Migrate your CA from CSP to KSP

 .

In this blog post, I will be talking about [Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP)], inspired from Microsoft TechNet Article talking about the same topic. I will try to give you more information and more examples about this topic, and how this plays big role in your journey to phase out SHA-1 and start using SHA-2

Please read the following topics before continue reading this blog post:

I will not discuss why and when you should migrate from CSP to KSP. However,I will only talk about the steps needed to migrate. After the migration, you can then reconfigure the CA to issue certificates by using the SHA-2 hash algorithm rather than the less secure hash algorithm of SHA-1

Moving to a new blog

I am moving to a new blog format, please follow this link to continue reading 🙂

https://blog.ahasayen.com/how-to-migrate-your-certification-authority-hashing-algorithm-from-sha-1-to-sha-2/