As of 01.01.2016, Microsoft will issue SSL certificates with Invalidate SHA1 as a hash algorithm. Web servers or services that use certificates with SHA1 therefore trigger certificate warnings in the browser for users. Therefore, SHA1 certificates should be exchanged slowly but surely. In order for an internal CA to issue certificates with SHA256 (SHA2), the CA must be converted from SHA1 to SHA2. The corresponding howto can be found here:
Here you can see that the hash algorithm of the CA is set to SHA1. The CA can therefore only issue certificates with SHA1.
As an example, here is an IIS web server that has obtained its certificate from the CA with SHA1. Here too, the hash algorithm is SHA1
To change the CA to SHA256 (SHA2), the following command must be executed on the command line:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
If the output looks like the above, the CA must be restarted, i.e. stop once and start again:
Whether SHA256 is used as a hash algorithm can be checked again in the properties of the CA
We have therefore changed the hash algorithm of the CA to SHA-256. Previously issued certificates remain valid, of course nothing changes in the certificates, as shown here once again in the IIS example
Only new or renewed certificates are signed with SHA-256. Certificates can be renewed via the certificate snap-in in the MMC:
After the certificate was renewed, it was signed with SHA256 by the CA:
And here again the example with the IIS, all valid, with SHA256:
The root certificate naturally still contains SHA1 as a hash algorithm, as it has not yet been renewed. However, there is not necessarily a need to renew the root certificate by 2016, as the certification authority certificates remain valid even with SHA1.
The certificate can also be renewed here (note: the wizard stops the CA):
After the certificate has been renewed, it also contains SHA256:
And here again for comparison the example IIS, old and new certificates remain valid.
Of course, old SHA1 certificates must be renewed so that no certificate warnings appear from 2016, but this should not be a major problem, apart from a little hard work.