Upgrade and renew Microsoft Root CA's certificate to use SHA256 hashing algorithm instead of SHA1

book

Article ID: 169367

calendar_today

Updated On:

Products

SSL Visibility Appliance Software Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Major browsers have started removing support for SHA-1 certificates, as is the case with the latest Google Chrome 56, Mozilla Firefox 51, and Internet Explorer 11 versions. As a result, you might experience behavior changes with affected browsers, as follows:

  • Chrome displays a "not secure" message and a red warning triangle, and 'https' crossed out. If you click it, a message explains "Your connection to this site is not secure. You should not enter any sensitive information."
  • Internet Explorer 11 omits the padlock icon at the right of the address bar and shows 'https' in gray rather than black. This is not very noticeable.  
  • Mozilla Firefox blocks the page and displays a "This Connection is Untrusted" message. To continue, you must add an exception. After you add the exception, the browser displays a yellow warning triangle over the padlock icon.
  • Microsoft Edge omits the padlock icon it shows on other secure sites. This is not very noticeable.  

Resolution

Upgrade the root CA to SHA256:

  1. Verify whether your CA is using a Cryptographic Service Provider (CSP) which only supports up to SHA-1 or Key Storage Provider (KSP) which supports SHA256. If you are using a CSP, upgrade to a KSP before continuing. Refer to the Microsoft article linked in the Additional Information section below for instructions on checking this setting and upgrading if needed.
  2. Upgrade the hashing algorithm to SHA256 through an elevated command line of server where CA service installed :
     certutil -setreg ca\csp\CNGHashAlgorithm SHA256
    • ​​(The service may need to be restarted for changes to take effect.)
  3. Renew the Certificate by going to MMC > Certification Authority (Local) Snap In. Right-click the CA and select Renew  All Tasks > Renew CA Certificate.  Select whether you want to keep the existing keys or create new ones.
    User-added image
  4. The hashing signature of the Root CA certificate should change to SHA256. Check whether the new certificate is using SHA256 by going to Certification Authority, selecting the new certificate and viewing its properties as shown below.
    User-added image
  5. Install the new SHA256 Root CA and subordinate certificates in the ProxySG appliance as described in KB article Configure SSL interception with Microsoft PKI for Explicit proxy.

Note: Creating a CSR in SHA256 in the ProxySG appliance is NOT required for the Root CA server to sign the intermediate certificate with SHA256. This means you can create the CSR in SHA1, and when signed by the Root CA, it applies SHA256 to the intermediate certificate. See KB article Create a Certificate Signing Request (CSR) with an SHA-2 cryptographic hash function on the ProxySG for details.

Attachments