Sometimes it may be necessary to change the Signature algorithm of an already installed certification authority subsequently.
The change in the signature algorithm will only affect certificates and revocation lists issued from the time of the changeover. Certificates already issued and the user's own certification authority certificate will not be changed. They would have to be reissued to change the signature algorithm.
Determine current setting
The following command line command can be used to display the current configuration of the certification authority:
certutil -getreg CA\CSP\AlternateSignatureAlgorithm
PKCS#1 version 1.5 is used if the AlternateSignatureALgorithm value is either not present or set to "0".
PKCS#1 version 2.1 is used if the AlternateSignatureAlgorithm value is set to "1".
Configure PKCS#1 version 2.1 for the certificate authority
The following command line command can be used to set the signature algorithm of a certification authority to PKCS#1 version 2.1:
certutil -setreg CA\CSP\AlternateSignatureAlgorithm 1
Afterwards, the certification authority service must be restarted for the certification authority to accept the change.
Configure PKCS#1 version 1.5 for the certificate authority
The reverse is also possible: If the certificate authority is configured to PKCS#1 version 2.1 and you want to switch to version 1.5, this can be achieved with the following command line command:
certutil -delreg CA\CSP\AlternateSignatureAlgorithm
English 
Deutsch