How to make a windows CA stop issueing SHA1 and start using SHA256

You might think the place to make the change would be in a certificate template but that is not the case. It looks like the default hash algorithm is stored in the registry and can be changed with certutil.

Run this directly on your CA as administrator:

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

Then restart your Certificate service:

net stop CertSvc
net start CertSvc

Freshly issues certificates should now have a SHA256 hash instead of an old depricated SHA1.

Redirecting traffic with Apache

There are two main types of redirection. The first is where you want to change a domain or server but you want to preserve the pages and URLs. For example, a company changes name from company1 to company2 and you want to redirect everyone from http://company1.com/ to http://company2.com/ while keeping all of the pages. For example, you would want a visitor clicking a link to http://company1.com/pages/page.html to be redirected to http://company2.com/pages/page.html

This is easy to accomplish with a simple redirect in the virtual host. For example:


ServerName company1
ServerAlias company1.com
Redirect “/” “https://company2.com/”


ServerName company1.com
SSLEngine On
SSLCertificateFile /etc/ssl/apache/company1-com.pem
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
Redirect “/” “https://company2.com/”

Another scenario is that perhaps company1 has stopped trading or maybe the site is down for maintenance and you want to send all traffic to a static page. In this example, we redirect to a complete URL which could be hosted elsewhere or on the same server.


ServerName company1
ServerAlias company1.com
RewriteEngine On
RewriteRule ^.*$ https://company2.com/maintenance.html


ServerName company1.com
SSLEngine On
SSLCertificateFile /etc/ssl/apache/company1-com.pem
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
RewriteEngine On
RewriteRule ^.*$ https://company2.com/maintenance.html

Please note that if you want to redirect to a page on the same server or domain you will need an additional line before each “rewriterule” preventing the redirect from kicking in on that page. If you don’t you will have an endless redirect loop.

e.g.

RewriteCond %{REQUEST_FILENAME} !/maintenance.html