RISHGenerate an SHA-1 signed certificate after cutover to SHA-2
You’ve finally made the switch on your Microsoft AD CS PKI infrastructure to SHA2 (SHA256)… but there is always one.
One outlier application that won’t accept an SHA-2 certificate and needs an SHA1 certificate to keep chugging for 1 more year.
Don’t worry, you can switch your Active Directory Certificate Services PKI infrastructure back to SHA-1 for a little bit.
certutil -setreg ca\csp\CNGHashAlgorithm SHA1
restart-service certsvc
Now issue your certificate, and switch back.
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
restart-service certsvc
Note that only the leaf certificate will be SHA1, your chain will still be SHA2 - if your application can’t handle that then it is out of luck.
There is a small chance that some auto-enrolled certificate ALSO got issued with an SHA1 certificate. So you can run a quick query to see all the certificates that were issued in the last hour
certutil -restrict "SubmittedWhen >= now-00:01, Disposition = 20" -view csv | ConvertFrom-Csv | fl "Request Submission Date","Requester Name","Issued Common Name"
If you were unlucky and a certificate was issued while you were in SHA1 you may want to go and renew it again.