Sometimes it may be necessary to change the Signature algorithm of an already installed certification authority subsequently.
The change in the signature algorithm will only affect certificates and revocation lists issued from the time of the changeover. Certificates already issued and the user's own certification authority certificate will not be changed. They would have to be reissued to change the signature algorithm.
Determine current setting
The following command line command can be used to display the current configuration of the certification authority:
certutil -getreg CA\CSP\AlternateSignatureAlgorithm
PKCS#1 version 1.5 is used if the AlternateSignatureALgorithm value is either not present or set to "0".
PKCS#1 version 2.1 is used if the AlternateSignatureAlgorithm value is set to "1".
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Configure PKCS#1 version 2.1 for the certificate authority
The following command line command can be used to set the signature algorithm of a certification authority to PKCS#1 version 2.1:
certutil -setreg CA\CSP\AlternateSignatureAlgorithm 1
Afterwards, the certification authority service must be restarted for the certification authority to accept the change.
Configure PKCS#1 version 1.5 for the certificate authority
The reverse is also possible: If the certificate authority is configured to PKCS#1 version 2.1 and you want to switch to version 1.5, this can be achieved with the following command line command:
certutil -delreg CA\CSP\AlternateSignatureAlgorithm
English 
Deutsch