How to Enable SHA-256 Certificate Support on Windows Server 2003 for SSL/TLS Connections in SSIS Packages


2 views

When working with legacy Windows Server 2003 SP2 systems, you might encounter SSL/TLS connectivity issues with modern SHA-256 certificates. The specific error we're troubleshooting manifests in two ways:

// SSIS Script Task Error
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

// CertUtil Verification Failure
CertUtil -verify certfile.cer
The signature of the certificate can not be verified. 0x80096004 (-2146869244)

Windows Server 2003 originally shipped without support for SHA-2 (SHA-256) certificate signatures. The cryptographic subsystem (crypt32.dll) needs patching to:

  • Recognize SHA-256 as a valid hash algorithm
  • Properly validate certificate chains using SHA-256
  • Establish TLS connections to servers using SHA-256 certificates

The critical updates needed are:

KB938397 - Base cryptographic improvements
KB968730 - SHA-256 support add-on
KB2616676 - Security update for crypt32.dll (prerequisite)

Important version check for crypt32.dll:

# Minimum required version: 5.131.3790.4477
# Your system might have newer: 5.131.3790.4905

First verify your current crypt32.dll version:

wmic datafile where name="C:\\windows\\system32\\crypt32.dll" get version

Then apply updates in this order:

  1. Install KB2616676 if not present
  2. Request KB938397 from Microsoft Support
  3. Finally install KB968730

If immediate patching isn't possible, consider these code alternatives:

// C# Script Task workaround (bypass certificate validation)
ServicePointManager.ServerCertificateValidationCallback += 
    (sender, cert, chain, errors) => true;

// PowerShell download alternative
$webClient = New-Object System.Net.WebClient
$webClient.DownloadString("https://example.com")

After patching, confirm functionality with:

# 1. IE navigation to HTTPS site
# 2. PowerShell test:
try {
    (New-Object Net.WebClient).DownloadString("https://target.site")
    "Success"
} catch {
    "Failure: $_"
}
# 3. CertUtil verification
CertUtil -verify certfile.cer

For advanced scenarios, these registry keys may need adjustment:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

When working with legacy Windows Server 2003 systems, you might encounter SSL/TLS connection failures specifically when:

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

This typically manifests in these scenarios:

  • SSIS packages failing during web service calls
  • PowerShell scripts using Invoke-WebRequest
  • Custom .NET applications making HTTPS connections

The core issue stems from Windows Server 2003's default lack of support for SHA-256/SHA-2 certificates. Modern certificates (post-2016) primarily use SHA-256, while Server 2003 originally only supported SHA-1.

Key verification symptoms:

CertUtil -verify certificate.cer
Output: The signature of the certificate can not be verified. 0x80096004 (-2146869244)

Here's the step-by-step resolution process:

1. Install Required Hotfixes

The critical updates needed are:

  • KB968730 - Adds SHA-2 support
  • KB938397 - Cryptographic improvements

For systems with existing updates (like KB2616676), you may need to:

wusa.exe /uninstall /kb:2616676 /quiet /norestart

Then install KB968730.

2. Registry Modifications

Add these registry entries to enable stronger cryptography:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

3. Code-Level Workarounds

For .NET applications, add this before making HTTPS calls:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | 
                                     SecurityProtocolType.Tls11 | 
                                     SecurityProtocolType.Tls12;

For SSIS Script Tasks:

System.Net.ServicePointManager.SecurityProtocol = 
    (System.Net.SecurityProtocolType)3072; // TLS 1.2

To confirm successful implementation:

  1. Check crypt32.dll version (should be 5.131.3790.4477 or later)
  2. Test SSL connection using PowerShell:
try {
    $request = [System.Net.WebRequest]::Create("https://targetsite.com")
    $request.GetResponse()
    Write-Host "SSL connection successful"
} catch {
    Write-Host "Connection failed: $_"
}

If hotfix installation isn't possible:

  • Implement a reverse proxy with modern OS
  • Use certificate pinning with custom validation
  • Consider upgrading to newer Windows Server version

For custom certificate validation in C#:

public bool ValidateServerCertificate(
    object sender,
    X509Certificate certificate,
    X509Chain chain,
    SslPolicyErrors sslPolicyErrors)
{
    // Custom validation logic here
    return true; // Only for testing!
}