https://community.qlik.com/t5/Official-Support-Articles/SHA-256-and-Converting-the-Cryptographic-Service-Provider-Type/ta-p/1716032 <P>SHA-256, SHA-384 and SHA-512&nbsp;XML signatures require the <STRONG>Microsoft Enhanced RSA and AES Cryptographic Provider</STRONG>. This provider's type is 24.<BR /><BR />More details about cryptographic service providers (CSPs) and their capabilities may be found at:<BR /><A title="https://msdn.microsoft.com/en-us/library/windows/desktop/bb931357(v=vs.85).aspx" href="https://msdn.microsoft.com/en-us/library/windows/desktop/bb931357(v=vs.85).aspx" target="_blank" rel="noopener">https://msdn.microsoft.com/en-us/library/windows/desktop/bb931357(v=vs.85).aspx</A><BR />&nbsp;</P> <P><STRONG>How to verify:</STRONG></P> <P>This can be checked using Microsoft's <STRONG>CertUtil</STRONG>&nbsp;command.&nbsp;The following command outputs information about the private key and certificate including the CSP.</P> <PRE class="ckeditor_codeblock"><STRONG>c:\&gt;certutil -dump c:\temp\idp.pfx</STRONG> Enter PFX password: ================ Certificate 0 ================ ================ Begin Nesting Level 1 ================ Element 0: Serial Number: 09ec562aa92ffa0ed554f5135afa3ccb Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US NotBefore: 2/7/2013 2:00 AM NotAfter: 4/4/2016 2:00 PM Subject: CN=*.qlik.com, O=QlikTech International AB, L=Lund, S=Skane, C=SE Non-root Certificate Cert Hash(sha1): d7 fe a0 8d c7 f5 e5 e4 ff e9 14 91 00 d9 95 5f 61 51 00 68 ---------------- End Nesting Level 1 ---------------- Provider = <STRONG>Microsoft RSA SChannel Cryptographic Provider</STRONG> Encryption test passed CertUtil: -dump command completed successfully.</PRE> <P>The "Microsoft RSA SChannel Cryptographic Provider"&nbsp;is suitable for SHA-1 XML signatures but doesn't support SHA-256 XML signatures.</P> <P>The PFX can be recreated specifying the required CSP.<BR /><BR /><STRONG>Before conversion:&nbsp;</STRONG></P> <PRE class="ckeditor_codeblock">- NB. The conversion does not modify the public or private key values or any other information apart from the CSP to use. - NB. It's safe to perform this conversion on self-signed as well as certificate authority issued certificate files. - One method to perform this conversion is to use OpenSSL. Windows binaries are available for download. Refer to the <A href="https://wiki.openssl.org/index.php/Binaries" target="_blank" rel="noopener">OpenSSL Wiki</A>.</PRE> <P><BR /><STRONG>Start conversion:</STRONG></P> <P>1. Firstly, it must be converted from&nbsp;PKCS12 to PEM format. From the example below, you will see how to convert a single .pfx file containing both certificate and private key into a .pem format. When it was asked, be ready to provide the password used for protecting the private key.</P> <PRE class="ckeditor_codeblock"><STRONG>c:\&gt;openssl pkcs12 -in c:\temp\idp.pfx -out c:\temp\idp.pem</STRONG> WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase:</PRE> <P><BR />2.&nbsp;Then it must be converted back to PKCS12 specifying the Microsoft Enhanced RSA and AES Cryptographic Provider.</P> <PRE class="ckeditor_codeblock"><STRONG>c:\&gt;openssl pkcs12 -export -in c:\temp\idp.pem -out c:\temp\new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" <SPAN>-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1</SPAN></STRONG> WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter pass phrase for c:\temp\idp.pem: Enter Export Password: Verifying - Enter Export Password:</PRE> <P><BR />3. Now you can verify the CSP in the new PFX file with the CertUtil command again.</P> <PRE class="ckeditor_codeblock"><STRONG>c:\&gt;certutil -dump c:\temp\new-idp.pfx</STRONG> Enter PFX password: ================ Certificate 0 ================ ================ Begin Nesting Level 1 ================ Element 0: Serial Number: 09ec562aa92ffa0ed554f5135afa3ccb Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US NotBefore: 2/7/2013 2:00 AM NotAfter: 4/4/2016 2:00 PM Subject: CN=*.qlik.com, O=QlikTech International AB, L=Lund, S=Skane, C=SE Non-root Certificate Cert Hash(sha1): d7 fe a0 8d c7 f5 e5 e4 ff e9 14 91 00 d9 95 5f 61 51 00 68 ---------------- End Nesting Level 1 ---------------- Provider = <STRONG>Microsoft Enhanced RSA and AES Cryptographic Provider</STRONG> Encryption test passed CertUtil: -dump command completed successfully.</PRE> <P>The new PFX file is now ready for generating SHA-256, SHA-384 and SHA-512&nbsp;XML signatures.<BR /><BR /><STRONG>Conversion is Done!</STRONG><BR /><BR />OPTIONAL: If you have your certificate and private key stored in the .pem format already but separate files, the following command will help you to combine them and generate the .pfx file with the correct CSP.</P> <PRE class="ckeditor_codeblock">openssl pkcs12 -export -inkey key.pem -in cert.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" <SPAN>-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1</SPAN></PRE> <P><BR />Reference link:<BR /><A href="http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Type" target="test_blank">http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Type</A><BR /><BR /><BR /><BR /><BR />&nbsp;</P> <P><BR />&nbsp;</P> Tue, 10 Mar 2026 11:28:48 GMT Sonja_Bauernfeind 2026-03-10T11:28:48Z https://community.qlik.com/t5/Official-Support-Articles/SHA-256-and-Converting-the-Cryptographic-Service-Provider-Type/ta-p/1716032 <P>SHA-256, SHA-384 and SHA-512&nbsp;XML signatures require the <STRONG>Microsoft Enhanced RSA and AES Cryptographic Provider</STRONG>. This provider's type is 24.<BR /><BR />More details about cryptographic service providers (CSPs) and their capabilities may be found at:<BR /><A title="https://msdn.microsoft.com/en-us/library/windows/desktop/bb931357(v=vs.85).aspx" href="https://msdn.microsoft.com/en-us/library/windows/desktop/bb931357(v=vs.85).aspx" target="_blank" rel="noopener">https://msdn.microsoft.com/en-us/library/windows/desktop/bb931357(v=vs.85).aspx</A><BR />&nbsp;</P> <P><STRONG>How to verify:</STRONG></P> <P>This can be checked using Microsoft's <STRONG>CertUtil</STRONG>&nbsp;command.&nbsp;The following command outputs information about the private key and certificate including the CSP.</P> <PRE class="ckeditor_codeblock"><STRONG>c:\&gt;certutil -dump c:\temp\idp.pfx</STRONG> Enter PFX password: ================ Certificate 0 ================ ================ Begin Nesting Level 1 ================ Element 0: Serial Number: 09ec562aa92ffa0ed554f5135afa3ccb Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US NotBefore: 2/7/2013 2:00 AM NotAfter: 4/4/2016 2:00 PM Subject: CN=*.qlik.com, O=QlikTech International AB, L=Lund, S=Skane, C=SE Non-root Certificate Cert Hash(sha1): d7 fe a0 8d c7 f5 e5 e4 ff e9 14 91 00 d9 95 5f 61 51 00 68 ---------------- End Nesting Level 1 ---------------- Provider = <STRONG>Microsoft RSA SChannel Cryptographic Provider</STRONG> Encryption test passed CertUtil: -dump command completed successfully.</PRE> <P>The "Microsoft RSA SChannel Cryptographic Provider"&nbsp;is suitable for SHA-1 XML signatures but doesn't support SHA-256 XML signatures.</P> <P>The PFX can be recreated specifying the required CSP.<BR /><BR /><STRONG>Before conversion:&nbsp;</STRONG></P> <PRE class="ckeditor_codeblock">- NB. The conversion does not modify the public or private key values or any other information apart from the CSP to use. - NB. It's safe to perform this conversion on self-signed as well as certificate authority issued certificate files. - One method to perform this conversion is to use OpenSSL. Windows binaries are available for download. Refer to the <A href="https://wiki.openssl.org/index.php/Binaries" target="_blank" rel="noopener">OpenSSL Wiki</A>.</PRE> <P><BR /><STRONG>Start conversion:</STRONG></P> <P>1. Firstly, it must be converted from&nbsp;PKCS12 to PEM format. From the example below, you will see how to convert a single .pfx file containing both certificate and private key into a .pem format. When it was asked, be ready to provide the password used for protecting the private key.</P> <PRE class="ckeditor_codeblock"><STRONG>c:\&gt;openssl pkcs12 -in c:\temp\idp.pfx -out c:\temp\idp.pem</STRONG> WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase:</PRE> <P><BR />2.&nbsp;Then it must be converted back to PKCS12 specifying the Microsoft Enhanced RSA and AES Cryptographic Provider.</P> <PRE class="ckeditor_codeblock"><STRONG>c:\&gt;openssl pkcs12 -export -in c:\temp\idp.pem -out c:\temp\new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" <SPAN>-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1</SPAN></STRONG> WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter pass phrase for c:\temp\idp.pem: Enter Export Password: Verifying - Enter Export Password:</PRE> <P><BR />3. Now you can verify the CSP in the new PFX file with the CertUtil command again.</P> <PRE class="ckeditor_codeblock"><STRONG>c:\&gt;certutil -dump c:\temp\new-idp.pfx</STRONG> Enter PFX password: ================ Certificate 0 ================ ================ Begin Nesting Level 1 ================ Element 0: Serial Number: 09ec562aa92ffa0ed554f5135afa3ccb Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US NotBefore: 2/7/2013 2:00 AM NotAfter: 4/4/2016 2:00 PM Subject: CN=*.qlik.com, O=QlikTech International AB, L=Lund, S=Skane, C=SE Non-root Certificate Cert Hash(sha1): d7 fe a0 8d c7 f5 e5 e4 ff e9 14 91 00 d9 95 5f 61 51 00 68 ---------------- End Nesting Level 1 ---------------- Provider = <STRONG>Microsoft Enhanced RSA and AES Cryptographic Provider</STRONG> Encryption test passed CertUtil: -dump command completed successfully.</PRE> <P>The new PFX file is now ready for generating SHA-256, SHA-384 and SHA-512&nbsp;XML signatures.<BR /><BR /><STRONG>Conversion is Done!</STRONG><BR /><BR />OPTIONAL: If you have your certificate and private key stored in the .pem format already but separate files, the following command will help you to combine them and generate the .pfx file with the correct CSP.</P> <PRE class="ckeditor_codeblock">openssl pkcs12 -export -inkey key.pem -in cert.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" <SPAN>-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1</SPAN></PRE> <P><BR />Reference link:<BR /><A href="http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Type" target="test_blank">http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Type</A><BR /><BR /><BR /><BR /><BR />&nbsp;</P> <P><BR />&nbsp;</P> Tue, 10 Mar 2026 11:28:48 GMT https://community.qlik.com/t5/Official-Support-Articles/SHA-256-and-Converting-the-Cryptographic-Service-Provider-Type/ta-p/1716032 Sonja_Bauernfeind 2026-03-10T11:28:48Z