{"id":77171,"date":"2016-02-19T00:01:14","date_gmt":"2016-02-19T00:01:14","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/?p=77171"},"modified":"2019-02-18T09:19:49","modified_gmt":"2019-02-18T16:19:49","slug":"migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-5","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-5\/","title":{"rendered":"Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 5"},"content":{"rendered":"<p><strong>Summary<\/strong>: Thomas Rayner, Microsoft Cloud &amp; Datacenter Management MVP, shows how to modify the registry for SHA-256 as a part of migrating a Windows certification authority from CSP to KSP and from SHA-1 to SHA-256.<\/p>\n<p>Hello! I\u2019m Thomas Rayner, a proud Cloud &amp; Datacenter Management Microsoft MVP, filling in for The Scripting Guy this week. You can find me on Twitter (<a href=\"https:\/\/twitter.com\/MrThomasRayner\">@MrThomasRayner<\/a>) or on my blog, <a href=\"http:\/\/workingsysadmin.com\/\" target=\"_blank\">Working Sysadmin: Figuring stuff out at work<\/a>.<\/p>\n<p>I recently had the chance to work with Microsoft PFE, Mike MacGillivray, on an upgrade of some Windows certification authorities, and I want to share some information about it with you. This script has only been tested on Windows Server 2012 and later.<\/p>\n<p><strong>\u00a0 Note<\/strong>\u00a0\u00a0\u00a0This is a five-part series that includes the following posts:<\/p>\n<ul>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/15\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-1\/?preview=true&amp;preview_id=76801&amp;preview_nonce=34b8f8d799&amp;post_format=standard\" target=\"_blank\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 1<\/a>\nExplore why you may need to perform this work, configure logging, and set up variables.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/16\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-2\/\" target=\"_blank\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 2<\/a>\nBack up your certification authority (CA) and test the script.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/17\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-3\/\" target=\"_blank\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 3<\/a>\nDelete the certificate and crypto provider so they can be rebuilt as a KSP and SHA-256 solution.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/18\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-4\/\" target=\"_blank\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 4<\/a>\nImport keys and certificate into a KSP.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/19\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-5\/\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 5<\/a>\nModify the registry for SHA-256.<\/li>\n<\/ul>\n<p>Today I\u2019m wrapping up the series by migrating to SHA-256.<\/p>\n<h2>SHA-1 is being deprecated, let\u2019s get on to SHA-256<\/h2>\n<p>It feels like we\u2019re coming full circle. You probably started this journey because you needed to migrate from SHA-1 to SHA-256, and you found that is kind of hard if you\u2019re using a CSP instead of KSP. Now that we took most of the week to get you on a KSP, let\u2019s finish the job and get you on to SHA-256, too.<\/p>\n<p>I\u2019m going to create a couple of registry files. Check out the following location:<\/p>\n<p>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration\\registry location<\/p>\n<p>Expand the name of your certification authority (CA), and you\u2019ll see the two keys I\u2019m going to adjust. The first is the CSP key, the other is the EncryptionCSP key.<\/p>\n<p>I\u2019m not going to go through every line of every change for both keys, but what you need to know is that we\u2019re changing references from SHA-1 to SHA-256 and references of your old CSP to KSP. I\u2019m throwing this operation into a Try\/Catch block in case something goes awry, and logging all this activity.<\/p>\n<p style=\"padding-left: 30px\">try<\/p>\n<p style=\"padding-left: 30px\">{<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 $CSPreg = @&#8221;<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 Windows Registry Editor Version 5.00<\/p>\n<p style=\"padding-left: 30px\">\u00a0[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration\\$CAName\\CSP]<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 &#8220;CNGHashAlgorithm&#8221;=&#8221;SHA256&#8221;<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 &#8220;CNGPublicKeyAlgorithm&#8221;=&#8221;RSA&#8221;<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 &#8220;HashAlgorithm&#8221;=dword:ffffffff<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 &#8220;MachineKeyset&#8221;=dword:00000001<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 &#8220;Provider&#8221;=&#8221;Microsoft Software Key Storage Provider&#8221;<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 &#8220;ProviderType&#8221;=dword:00000000<\/p>\n<p style=\"padding-left: 30px\">&#8220;@<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 $CSPreg | Out-File -FilePath &#8220;$Drivename\\$Foldername\\csp.reg&#8221;<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 Add-LogEntry $Logpath &#8216;Created csp.reg&#8217;<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 $Encryptionreg = @&#8221;<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 Windows Registry Editor Version 5.00<\/p>\n<p style=\"padding-left: 30px\">\u00a0[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration\\$CAName\\EncryptionCSP]<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 &#8220;CNGEncryptionAlgorithm&#8221;=&#8221;3DES&#8221;<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 &#8220;CNGPublicKeyAlgorithm&#8221;=&#8221;RSA&#8221;<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 &#8220;EncryptionAlgorithm&#8221;=dword:6603<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 &#8220;MachineKeyset&#8221;=dword:00000001<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 &#8220;Provider&#8221;=&#8221;Microsoft Software Key Storage Provider&#8221;<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 &#8220;ProviderType&#8221;=dword:00000000<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 &#8220;SymmetricKeySize&#8221;=dword:000000a8<\/p>\n<p style=\"padding-left: 30px\">&#8220;@<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 $Encryptionreg | Out-File -FilePath &#8220;$Drivename\\$Foldername\\encryption.reg&#8221;<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 Add-LogEntry $Logpath &#8216;Created encryption.reg&#8217;<\/p>\n<p style=\"padding-left: 30px\">}<\/p>\n<p style=\"padding-left: 30px\">catch [Exception]<\/p>\n<p style=\"padding-left: 30px\">{<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 Add-LogEntry $Logpath &#8220;*** Activity failed &#8211; Exception Message: $($_.Exception.Message)&#8221;<\/p>\n<p style=\"padding-left: 30px\">\u00a0\u00a0\u00a0 Exit-PSHostProcess<\/p>\n<p style=\"padding-left: 30px\">}<\/p>\n<p>Now it\u2019s time for a bit of fun. The next thing I\u2019m going to do is change your <strong>ErrorActionPrefence<\/strong> variable to <strong>SilentlyContinue<\/strong>. You may be saying, \u201cThomas, won\u2019t that ignore errors? I don\u2019t want to ignore errors, do I?\u201d<\/p>\n<p>You\u2019d be right\u2026mostly. For the next couple lines, we do want to ignore the errors that are going to arise. All you\u2019re doing is importing the two registry files that were created earlier.<\/p>\n<p style=\"padding-left: 30px\">$ErrorActionPreference = &#8216;SilentlyContinue&#8217;<\/p>\n<p style=\"padding-left: 30px\">cmd.exe \/c &#8220;reg import $(&#8220;$Drivename\\$Foldername\\encryption.reg&#8221;)&#8221;<\/p>\n<p style=\"padding-left: 30px\">Add-LogEntry $Logpath &#8216;Imported encryption.reg&#8217;<\/p>\n<p style=\"padding-left: 30px\">cmd.exe \/c &#8220;reg import $(&#8220;$Drivename\\$Foldername\\csp.reg&#8221;)&#8221;<\/p>\n<p style=\"padding-left: 30px\">Add-LogEntry $Logpath &#8216;Imported csp.reg&#8217;<\/p>\n<p>Here\u2019s what happens if you don\u2019t change your <strong>ErrorActionPreference<\/strong> variable. Remember in Part 1, we changed it to <strong>Stop<\/strong>.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-2-19-16-1.png\"><img decoding=\"async\" class=\"alignnone size-medium wp-image-77181\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-2-19-16-1-300x38.png\" alt=\"Image of error message\" width=\"300\" height=\"38\" \/><\/a><\/p>\n<p>What the heck? We got an error message that says, \u201cThe operation completed successfully.\u201d If I check out the registry, the changes were successfully applied. Ignoring this issue by changing <strong>ErrorActionPreference<\/strong> is a work around, but it will do for now.<\/p>\n<p>Now I need to start the certificate service again:<\/p>\n<p style=\"padding-left: 30px\">Start-Service -Name &#8216;certsvc&#8217;<\/p>\n<p style=\"padding-left: 30px\">Add-LogEntry $Logpath &#8216;Started certsvc&#8217;<\/p>\n<p>The very first thing I did was change the <strong>ErrorActionPreference<\/strong> variable to <strong>Stop<\/strong>, so now it\u2019s fitting that I\u2019m going to change it back to its previous value. I told you we were coming full circle today.<\/p>\n<p style=\"padding-left: 30px\">$ErrorActionPreference = $OldEAP<\/p>\n<p>That\u2019s it! Together, we\u2019ve upgraded your Windows certification authority from a CSP to a KSP and from SHA-1 to SHA-256.<\/p>\n<p>If you are interested in downloading the full script, you can find it on my blog: <a href=\"http:\/\/www.workingsysadmin.com\/quick-script-share-upgrade-windows-certificate-authority-from-csp-to-ksp-and-from-sha-1-to-sha-256\/\" target=\"_blank\">Upgrade Windows Certification Authority from CSP to KSP and from SHA-1 to SHA-256<\/a>. Thank you very much for joining me on this scripting adventure this week. I hope you got as much value from reading these posts as I did from writing them.<\/p>\n<p>~Thomas<\/p>\n<p>Thank you, Thomas, for an excellent five-part series. It is great!<\/p>\n<p>Join me tomorrow for more way cool Windows PowerShell stuff.<\/p>\n<p>I invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"mailto:scripter@microsoft.com\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. Also check out my <a href=\"https:\/\/blogs.technet.microsoft.com\/msoms\/\" target=\"_blank\">Microsoft Operations Management Suite Blog<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><strong>Ed Wilson, Microsoft Scripting Guy<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Thomas Rayner, Microsoft Cloud &amp; Datacenter Management MVP, shows how to modify the registry for SHA-256 as a part of migrating a Windows certification authority from CSP to KSP and from SHA-1 to SHA-256. Hello! I\u2019m Thomas Rayner, a proud Cloud &amp; Datacenter Management Microsoft MVP, filling in for The Scripting Guy this week. [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[568],"tags":[217,56,3,63,652,45],"class_list":["post-77171","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hey-scripting-guy","tag-certificates","tag-guest-blogger","tag-scripting-guy","tag-security","tag-thomas-rayner","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Thomas Rayner, Microsoft Cloud &amp; Datacenter Management MVP, shows how to modify the registry for SHA-256 as a part of migrating a Windows certification authority from CSP to KSP and from SHA-1 to SHA-256. Hello! I\u2019m Thomas Rayner, a proud Cloud &amp; Datacenter Management Microsoft MVP, filling in for The Scripting Guy this week. [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/77171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=77171"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/77171\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=77171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=77171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=77171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}