PowerShell PKI Module Documentation

Documentation Home
This command requires installed Remote Server Administration Tools (RSAT)

Set-CACryptographyConfig

Synopsis

Changes current Certification Authority (CA) cryptography settings.

Syntax

Set-CACryptographyConfig -InputObject <CACryptography[]> [[-HashingAlgorithm] <Oid>] [[-EncryptionAlgorithm] <Oid>] [-AlternateSignatureAlgorithm] [-RestartCA] [<CommonParameters>]

Description

Changes current Certification Authority (CA) cryptography settings. The following settings can be modified by this command:

Hashing Algorithm — the algorithm that is used to hash and sign issued certificates and certificate revocation lists (CRLs).
Pulbic Key Algorithm — the asymmetric algorithm that is used to encrypt the signature of the certificate or CRL. For example, change RSA to ECDSA algorithm.
Alternate Signature Algorithm — instructs CA server to use PKCS#1 v2.1 signature format.

Note: Public Key Algorithm and Alternatate Signature Algorithm are not supported by legacy cryptographic service providers (aka CryptoAPI CSP). Currently only CAPI2 (Key Storage) providers support these settings.

Parameters

-InputObject <CACryptography[]>

Specifies existing CA cryptography configuration object. This object can be retrieved by running Get-CACryptographyConfig command.

Required? True
Position? named
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-HashingAlgorithm <Oid>

Specifies the new hashing and signature algorithm. You can pass either, Oid object that contains new algorithm information, algorithm friendly name or algorithm object identifier.

Required? False
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? False

-EncryptionAlgorithm <Oid>

Specifies the new asymmetric algorithm. You can pass either, Oid object that contains new algorithm information, algorithm friendly name or algorithm object identifier.

Note: if the 'ProviderIsCNG' property of the cryptography configuration object is set to False, this parameter is ignored.

Required? False
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? False

-AlternateSignatureAlgorithm <SwitchParameter>

Specifies whether the CA server should use PKCS#1 v2.1 signature format which causes signatures like RSASSA-PSS (1.2.840.113549.1.1.10) signature algorithm. Not all systems and applications may recognize this signature format.

Note: if the 'ProviderIsCNG' property of the cryptography configuration object is set to False, this parameter is ignored.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

-RestartCA <SwitchParameter>

Restarts CA service on the specified CA server to immediately apply changes.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.CACryptography

Outputs

PKI.CertificateServices.CACryptography

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority -Name MyCA | Get-CACryptographyConfig | Set-CACryptographyConfig -HashingAlgorithm SHA256 -RestartCA

This example retrieves existing CA cryptography configuration and changes hashing algorithm to 'SHA256'. After certificate service is restarted, all new issued certificates and CRLs will be signed by used a 'SHA256' signing algorithm.

Example 2

PS C:\> Get-CertificationAuthority -Name MyCA | Get-CACryptographyConfig | Set-CACryptographyConfig -HashingAlgorithm SHA256 -AlternateSignatureAlgorithm -RestartCA

This example retrieves existing CA cryptography configuration and changes hashing algorithm to 'SHA256' and enforces CA server to use PKCS#1 v2.1 signature format. After certificate service is restarted, all new issued certificates and CRLs will be signed by used a PSS signing algorithm and the content will be hashed by using 'SHA256' hashing algorithm.

Related links

Get-CACryptographyConfig
Get-CertificationAuthority
Connect-CertificationAuthority

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions