{"id":76952,"date":"2016-02-17T00:01:52","date_gmt":"2016-02-17T00:01:52","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/?p=76952"},"modified":"2019-02-18T09:19:51","modified_gmt":"2019-02-18T16:19:51","slug":"migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-3","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-3\/","title":{"rendered":"Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 3"},"content":{"rendered":"<p><strong>Summary<\/strong>: Thomas Rayner, Microsoft Cloud &amp; Datacenter Management MVP, shows how to delete your Windows CA certificates and crypto provider as a part of migrating a Windows certification authority from CSP to KSP and from SHA-1 to SHA-256.<\/p>\n<p>Hello! I\u2019m Thomas Rayner, a proud Cloud &amp; Datacenter Management Microsoft MVP, filling in for The Scripting Guy this week. You can find me on Twitter (<a href=\"https:\/\/twitter.com\/MrThomasRayner\">@MrThomasRayner<\/a>) or on my blog, <a href=\"http:\/\/workingsysadmin.com\/\" target=\"_blank\">Working Sysadmin: Figuring stuff out at work<\/a>.<\/p>\n<p>I recently had the chance to work with Microsoft PFE, Mike MacGillivray, on an upgrade of some Windows certification authorities, and I want to share some information about it with you. This script has only been tested on Windows Server 2012 and later.<\/p>\n<p><strong>\u00a0 Note<\/strong>\u00a0\u00a0\u00a0This is a five-part series that includes the following posts:<\/p>\n<ul>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/15\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-1\/?preview=true&amp;preview_id=76801&amp;preview_nonce=34b8f8d799&amp;post_format=standard\" target=\"_blank\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 1<\/a>\nExplore why you may need to perform this work, configure logging, and set up variables.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/16\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-2\/\" target=\"_blank\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 2<\/a>\nBack up your certification authority (CA) and test the script.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/17\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-3\/\" target=\"_blank\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 3<\/a>\nDelete the certificate and crypto provider so they can be rebuilt as a KSP and SHA-256 solution.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/18\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-4\/\" target=\"_blank\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 4<\/a>\nImport keys and certificate into a KSP.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/19\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-5\/\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 5<\/a>\nModify the registry for SHA-256.<\/li>\n<\/ul>\n<p>Now let\u2019s delete a bunch of things!<\/p>\n<p>There\u2019s a lot of stuff to delete so we can re-create it properly. Before we do anything else, let\u2019s stop the certificate service:<\/p>\n<p style=\"padding-left: 30px\">Stop-Service -Name &#8216;certsvc&#8217;<\/p>\n<p style=\"padding-left: 30px\">Add-LogEntry $Logpath &#8216;CA service stopped&#8217;<\/p>\n<p>Now let\u2019s retrieve and record the serial number of our certificate:<\/p>\n<p style=\"padding-left: 30px\">$CertSerial = cmd.exe \/c &#8220;certutil -store My $(&#8220;$CAName&#8221;)&#8221; | Where-Object -FilterScript {<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 $_ -match &#8216;hash&#8217;<\/p>\n<p style=\"padding-left: 30px\">}<\/p>\n<p style=\"padding-left: 30px\">$CertSerial | Out-File -FilePath &#8220;$Drivename\\$Foldername\\CA_Certificates.txt&#8221;<\/p>\n<p style=\"padding-left: 30px\">Add-LogEntry $Logpath &#8216;Got CA cert serials&#8217;<\/p>\n<p>This <strong>certutil<\/strong> command gets the certificates in the store of my CA. I\u2019m using <strong>Where-Object<\/strong> to find the hash (or serial number) of my certificates. You can see the difference in this screenshot:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-2-17-16-1.png\"><img decoding=\"async\" class=\"alignnone size-medium wp-image-76981\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-2-17-16-1-300x118.png\" alt=\"Image of code\" width=\"300\" height=\"118\" \/><\/a><\/p>\n<p>Then, I write the output to CA_Certificates.txt in my working folder, in case I need it again.<\/p>\n<p>Next up, certificate providers! It\u2019s almost the same command. I\u2019m going to save the providers in CSP.txt:<\/p>\n<p style=\"padding-left: 30px\">$CertProvider = cmd.exe \/c &#8220;certutil -store My $(&#8220;$CAName&#8221;)&#8221; | Where-Object -FilterScript {<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 $_ -match &#8216;provider&#8217;<\/p>\n<p style=\"padding-left: 30px\">}<\/p>\n<p style=\"padding-left: 30px\">$CertProvider | Out-File -FilePath &#8220;$Drivename\\$Foldername\\CSP.txt&#8221;<\/p>\n<p style=\"padding-left: 30px\">Add-LogEntry $Logpath &#8216;Got CA CSPs&#8217;<\/p>\n<p>Now it\u2019s time to cowboy up and delete some stuff! First, let\u2019s delete the certificate:<\/p>\n<p style=\"padding-left: 30px\">$CertSerial | ForEach-Object -Process {<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 cmd.exe \/c &#8220;certutil -delstore My `&#8221;$($_.Split(&#8216;:&#8217;)[-1].trim(&#8216; &#8216;))`&#8221;&#8221;<\/p>\n<p style=\"padding-left: 30px\">}<\/p>\n<p style=\"padding-left: 30px\">Add-LogEntry $Logpath &#8216;Deleted CA certificates&#8217;<\/p>\n<p>That looks pretty interesting. Let me break down the weird bit of string manipulation I\u2019m doing:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-2-17-16-2.png\"><img decoding=\"async\" class=\"alignnone size-medium wp-image-76991\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-2-17-16-2-300x117.png\" alt=\"Image of code\" width=\"300\" height=\"117\" \/><\/a><\/p>\n<ul>\n<li>The first line writes the value of <strong>$CertSerial<\/strong>.<\/li>\n<li>The next splits it on the colon character.<\/li>\n<li>The third line selects only the line with the serial number.<\/li>\n<li>Then I\u2019m trimming the whitespace off each end.<\/li>\n<li>Now on line 5, I\u2019m trying to put quotation marks around the serial number, but PowerShell thinks I\u2019m trying to denote that this is a string. The problem is that the <strong>certutil<\/strong> command needs the quotation marks to be passed. Otherwise, it thinks each little part of the serial number is a different argument.<\/li>\n<li>So on line 6, I\u2019m escaping the quotation marks with the backtick character. This lets the \u2013<strong>delstore<\/strong> argument of <strong>certutil<\/strong> accurately delete your certificate.<\/li>\n<\/ul>\n<p>Next is deleting the provider. It\u2019s going to be pretty similar to how I just deleted the certificate.<\/p>\n<p style=\"padding-left: 30px\">$CertProvider | ForEach-Object -Process {<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 cmd.exe \/c &#8220;certutil -CSP `&#8221;$($_.Split(&#8216;=&#8217;)[-1].trim(&#8216; &#8216;))`&#8221; -delkey $(&#8220;$CAName&#8221;)&#8221;<\/p>\n<p style=\"padding-left: 30px\">}<\/p>\n<p style=\"padding-left: 30px\">Add-LogEntry $Logpath &#8216;Deleted CA private keys&#8217;<\/p>\n<p>I\u2019ll break this one down, too. The differences are that I\u2019m not in a foreach loop, and I\u2019m splitting on the equals ( <strong>=<\/strong> ) character. I still have to wrap this in escaped quotation marks, too (not pictured).<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-2-17-16-3.png\"><img decoding=\"async\" class=\"alignnone size-medium wp-image-76961\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-2-17-16-3-300x108.png\" alt=\"Image of code\" width=\"300\" height=\"108\" \/><\/a><\/p>\n<p>Let\u2019s pop this in a Try\/Catch block and add a little more logging, shall we?<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/Capture2.png\"><img decoding=\"async\" class=\"alignnone size-medium wp-image-76971\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/Capture2-300x190.png\" alt=\"Capture\" width=\"300\" height=\"190\" \/><\/a><\/p>\n<p>Clean slate! Tomorrow I\u2019m going to show you how to import the keys into a KSP and get that all into your CA\u2019s certificate store. Upgrading from CSP to KSP and SHA-1 to SHA-256 is a pretty involved process but we\u2019re more than half way done.<\/p>\n<p>If you are in a big hurry and want the full script, you can find it on my blog: <a href=\"http:\/\/www.workingsysadmin.com\/quick-script-share-upgrade-windows-certificate-authority-from-csp-to-ksp-and-from-sha-1-to-sha-256\/\">Upgrade Windows Certification Authority from CSP to KSP and from SHA-1 to SHA-256<\/a>. I\u2019d sincerely recommend reading all of the posts in this series first, though, so you understand what it is you\u2019re running.<\/p>\n<p>~Thomas<\/p>\n<p>I invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"mailto:scripter@microsoft.com\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\">Official Scripting Guys Forum<\/a>. Also check out my <a href=\"https:\/\/blogs.technet.microsoft.com\/msoms\/\">Microsoft Operations Management Suite Blog<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><strong>Ed Wilson, Microsoft Scripting Guy<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Thomas Rayner, Microsoft Cloud &amp; Datacenter Management MVP, shows how to delete your Windows CA certificates and crypto provider as a part of migrating a Windows certification authority from CSP to KSP and from SHA-1 to SHA-256. Hello! I\u2019m Thomas Rayner, a proud Cloud &amp; Datacenter Management Microsoft MVP, filling in for The Scripting [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[568],"tags":[217,56,3,63,652,45],"class_list":["post-76952","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hey-scripting-guy","tag-certificates","tag-guest-blogger","tag-scripting-guy","tag-security","tag-thomas-rayner","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Thomas Rayner, Microsoft Cloud &amp; Datacenter Management MVP, shows how to delete your Windows CA certificates and crypto provider as a part of migrating a Windows certification authority from CSP to KSP and from SHA-1 to SHA-256. Hello! I\u2019m Thomas Rayner, a proud Cloud &amp; Datacenter Management Microsoft MVP, filling in for The Scripting [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/76952","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=76952"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/76952\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=76952"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=76952"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=76952"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}