OCS Certificate SHA-2 Issue

May 7, 2009 @ 3:54 pm · Filed under Microsoft, OCS, Solutions, Technology

Today I was told about a certificate issue that can cause problems when OCS servers are deployed with certificates that implement the SHA-2 algorithm (SHA-256, SHA-384 and SHA-512). The Cryptographic Service Provider in Windows XP SP2 and 2003 SP2 and older does not support these algorithms. Newer Operating Systems like Vista and Server 2008 provide support for these algorithms by default.

When applying this limitation to OCS, you may see the following error in the event log of a Communicator client on an older OS when certificates using these algorithms are deployed:

Source: Schannel
Event ID: 36876
Description: The certificate received from the remote server has not validated correctly. The error code is 0×80096004. The SSL connection request has failed. The attached data contains the server certificate.

cert-error1

Fortunately, there is a work-around in most cases. An upgrade to SP3 on XP and a hotfix for Server 2003 can add support for SHA-2 algorithms. See the following links for more detailed information about this issue.

http://blogs.msdn.com/alejacma/archive/2009/01/23/sha-2-support-on-windows-xp.aspx

http://support.microsoft.com/kb/968730

Comments are closed.