Upgrade Windows 2012 R2 Root CA from SHA1 to SHA256

How to update Windows 2012 R2 AD CA from SHA1 to SHA2 or SHA256

Windows 2012 R2 Active Directory integrated by default publish and issue SHA1 certificates, which is now declared as untrusted by Google Chrome. There was warning window during configuration, but who knows it so important, after it is already intergrated you can discover you forget to change default hash algorithm.

Windows 2012 R2 out of the box provider is already MS Software Key Storage Provider so you don't have to convert something. It is out of this article, how to install nginx, CA or IIS.  To convert storage provider, seek for more complex technet articles like this.

Conversion of CA hash algorithm

To convert Certification Authority and web server certificates form sha1 to SHA 256 it is pretty simple but not so well documented.
To convert Certification Authority you just have to type one command. Go to Administrator command prompt.

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

How to Issue Windows 2012 R2 CA sha256 trusted certificate to Graylog ubuntu nginx or apache web server

A little bit more complex is request key from linux for nginx or apache server. I already had self signed certificate, but from linux perspective, request is almost the same. To avoid exposure of API and port 9000 I am keeping nginx proxy on graylog server.  My nginx configuration is as follows, as you can see, there is nothing changed from graylog perspective.