Due to some Oracle servers that do not support sha256 we are looking into downgrading the offline Rootca to sha1 , and reissuing the subca , and then reissuing the endpoint certs What are the steps in doing that ? Do I need to uninstall the ADCS role from the rootca and recreate it ? I should add that the Root offline CA is a standalone , then the Sub CA is Enterprise (AD Intergrated) This is a relatively new ADCS enviroment that has issued only a handful of certs.

You have two choices (since you have very few certificates issued) - tear down and redeploy - Change the CNGHashAlgorithm to SHA1 and renew the root CA, confirm that the signature is SHA1, and then re-issue the subordinate CA certificate (again, setting hash algorithm to SHA1). The command will be certutil -setreg ca\csp\CNGHashAlgorithm SHA1 and then restart ADCS Also make sure that your key length and validity period are defined in the root CA's CAPolicy.inf before renewing Brian

Hi, We have the same situation in our company, so I tried changing the hash algorithm to sha1 in our test environment. After running this command on offline root ca, the ADCS service failed to start and the following error occured: WsResetMetadata 0xd00000bb (-805306181) Is there any additional settings to adjust or we have to reinstall the CA? Regards Ivan