In this article, How to Install Certificate Services with SHA-256 a.k.a SHA-2 in Server 2012 R2. Please refer Microsoft Article for more about SHA-256.
Open Server Manager–> click on Add Roles and features
Click on Next
Select Role-based or feature-based installation and click on Next
Click on Next
Select on Active Directory Certificate Services
Click on Next
Click on Next
Select Certificate Authority and Certificate Authority Web Enrollment
Click on Next
Click on Next without changing anything as it is all selected by default which required for IIS
Click on Next
Click on Configure Active Directory Certificate Services on the destination server
Select administrator and Click on Next
Select Certificate Authority and Certificate Authority Web Enrollment
Select Enterprise CA and Click on Next
Click on Root CA
Select on Create a new private key
Select Key Length 4096 Select SHA256
Select Common name for this CA and Click on Next
Specify the validity Period and click Next
Change the CA database locations if you’re planning to change it to another location. since I am installation in Test Lab, I have left with default. but it is always good to keep it different location.
so installation is successful. Click on Close
open Certificate Authority and Click on Properties
you can see the Hash Algorithm is SHA256
To verify from Powershell, Run the below command
Certutil -Getreg CA\CSP\CNGHashAlgorithm
