PowerShell PKI Module Documentation

This command requires installed Remote Server Administration Tools (RSAT)

Set-CACryptographyConfig

Synopsis

Changes current Certification Authority (CA) cryptography settings.

Syntax

Set-CACryptographyConfig -InputObject <CACryptography[]> [[-HashingAlgorithm] <Oid>] [[-EncryptionAlgorithm] <Oid>] [-AlternateSignatureAlgorithm] [-RestartCA] [<CommonParameters>]

Description

Changes current Certification Authority (CA) cryptography settings. The following settings can be modified by this command:

Hashing Algorithm — the algorithm that is used to hash and sign issued certificates and certificate revocation lists (CRLs).
Pulbic Key Algorithm — the asymmetric algorithm that is used to encrypt the signature of the certificate or CRL. For example, change RSA to ECDSA algorithm.
Alternate Signature Algorithm — instructs CA server to use PKCS#1 v2.1 signature format.

Note: Public Key Algorithm and Alternatate Signature Algorithm are not supported by legacy cryptographic service providers (aka CryptoAPI CSP). Currently only CAPI2 (Key Storage) providers support these settings.

Parameters

-InputObject <CACryptography[]>

Specifies existing CA cryptography configuration object. This object can be retrieved by running Get-CACryptographyConfig command.

Required?True
Position?named
Default value
Accept pipeline input?true (ByValue, ByPropertyName)
Accept wildcard characters?False

-HashingAlgorithm <Oid>

Specifies the new hashing and signature algorithm. You can pass either, Oid object that contains new algorithm information, algorithm friendly name or algorithm object identifier.

Required?False
Position?1
Default value
Accept pipeline input?false
Accept wildcard characters?False

-EncryptionAlgorithm <Oid>

Specifies the new asymmetric algorithm. You can pass either, Oid object that contains new algorithm information, algorithm friendly name or algorithm object identifier.

Note: if the 'ProviderIsCNG' property of the cryptography configuration object is set to False, this parameter is ignored.

Required?False
Position?2
Default value
Accept pipeline input?false
Accept wildcard characters?False

-AlternateSignatureAlgorithm <SwitchParameter>

Specifies whether the CA server should use PKCS#1 v2.1 signature format which causes signatures like RSASSA-PSS (1.2.840.113549.1.1.10) signature algorithm. Not all systems and applications may recognize this signature format.

Note: if the 'ProviderIsCNG' property of the cryptography configuration object is set to False, this parameter is ignored.

Required?False
Position?named
Default value
Accept pipeline input?false
Accept wildcard characters?False

-RestartCA <SwitchParameter>

Restarts CA service on the specified CA server to immediately apply changes.

Required?False
Position?named
Default value
Accept pipeline input?false
Accept wildcard characters?False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.CACryptography

Outputs

PKI.CertificateServices.CACryptography

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority -Name MyCA | Get-CACryptographyConfig | Set-CACryptographyConfig -HashingAlgorithm SHA256 -RestartCA

This example retrieves existing CA cryptography configuration and changes hashing algorithm to 'SHA256'. After certificate service is restarted, all new issued certificates and CRLs will be signed by used a 'SHA256' signing algorithm.

Example 2

PS C:\> Get-CertificationAuthority -Name MyCA | Get-CACryptographyConfig | Set-CACryptographyConfig -HashingAlgorithm SHA256 -AlternateSignatureAlgorithm -RestartCA

This example retrieves existing CA cryptography configuration and changes hashing algorithm to 'SHA256' and enforces CA server to use PKCS#1 v2.1 signature format. After certificate service is restarted, all new issued certificates and CRLs will be signed by used a PSS signing algorithm and the content will be hashed by using 'SHA256' hashing algorithm.

Related links

Get-CACryptographyConfig
Get-CertificationAuthority
Connect-CertificationAuthority

Minimum PowerShell version support

  • PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions