How to Change the Default Encryption Algorithm for Windows 2000 (278877)

MORE INFORMATION

After you install Certificate Services, you are unable to change the default encryption algorithm. To change the default encryption algorithm for the server that is running Certificate Services in the domain, use either of the following methods:

• Uninstall Certificate Services, and then when you reinstall Certificate Services, set the encryption algorithm that you want to use.
• Install Certificate Services on a second computer if multiple encryption algorithms are required in your environment

To use the hash algorithm for Certificate Services, start the Installation Wizard, and then click to select the following options:

1. In the Certification Authority Type window, enter the type of Certificate Authority that you would like to install, click to select the Advanced Options check box, and then click Next.
2. In the Public and Private Key Pair window, click Cryptographic Service Provider (CSP), enter the hash algorithm, and then enter the key length for the hash algorithm.
3. In the Public Key and Private Key windows, click to select any of the following options that you would like to use to configure Certificate Services:
   • Use existing keys
   • Use the associated certificate
   • View the certificate
   • Import a PKCS #12 file
4. After you enter the appropriate CSP and hash algorithm, click Next, and then finish the Installation Wizard. Enter the values that you need for your environment.

The following CSPs and hash algorithms are available by default in Windows 2000:

• Gemplus GemSAFE Card CSP v1.0 (Smartcards): HMAC, MAC, MD2, MD4, MD5, SHA-1, SSL SHAMD5
• Microsoft Base Cryptographic Provider v1.0: MD2, MD4, MD5, SHA-1
• Microsoft Base DSS Cryptographic Provider: SHA-1
• Schlumberger CSP (Smartcards): HMAC, MAC, MD2, MD4, MD5, SHA-1, SSL SHAMD5