Upgrade and renew Microsoft Root CA's certificate to use SHA256 hashing algorithm instead of SHA1
Last Updated May 29, 2019
Major browsers have started removing support for SHA-1 certificates, as is the case with the latest Google Chrome 56, Mozilla Firefox 51, and Internet Explorer 11 versions. As a result, you might experience behavior changes with affected browsers, as follows:
Chrome displays a "not secure" message and a red warning triangle, and 'https' crossed out. If you click it, a message explains "Your connection to this site is not secure. You should not enter any sensitive information."
Internet Explorer 11 omits the padlock icon at the right of the address bar and shows 'https' in gray rather than black. This is not very noticeable.
Mozilla Firefox blocks the page and displays a "This Connection is Untrusted" message. To continue, you must add an exception. After you add the exception, the browser displays a yellow warning triangle over the padlock icon.
Microsoft Edge omits the padlock icon it shows on other secure sites. This is not very noticeable.
Upgrade the root CA to SHA256:
Verify whether your CA is using a Cryptographic Service Provider (CSP) which only supports up to SHA-1 or Key Storage Provider (KSP) which supports SHA256. If you are using a CSP, upgrade to a KSP before continuing. Refer to the Microsoft article linked in the Additional Information section below for instructions on checking this setting and upgrading if needed.
Upgrade the hashing algorithm to SHA256 through an elevated command line of server where CA service installed : certutil -setreg ca\csp\CNGHashAlgorithm SHA256
(The service may need to be restarted for changes to take effect.)
Renew the Certificate by going to MMC > Certification Authority (Local) Snap In. Right-click the CA and select Renew All Tasks > Renew CA Certificate. Select whether you want to keep the existing keys or create new ones.
The hashing signature of the Root CA certificate should change to SHA256. Check whether the new certificate is using SHA256 by going to Certification Authority, selecting the new certificate and viewing its properties as shown below.