HashAlgorithm Property

ICEnroll4::HashAlgorithm property

[This property is no longer available for use as of Windows Server 2008 and Windows Vista.]

The HashAlgorithm property sets or retrieves only the signature hashing algorithm used to sign the PKCS #10 certification request.

This property was first defined in the ICEnroll interface.

This property is read/write.


HRESULT put_HashAlgorithm(
  [in]  BSTR HashAlg

HRESULT get_HashAlgorithm(
  [out] BSTR *pHashAlg

Property value

A string that represents the signature hashing algorithm used to sign the PKCS #10 certification request. The string can be any OID for a hashing algorithm. The following list shows some possible values. The default value is "SHA1".

  • "SHA1"
  • "MD2"
  • "MD5"

Error codes

If the property access methods put_HashAlgorithm and get_HashAlgorithm succeed, they return S_OK.

Any other HRESULT value indicates that the call failed.


This signature hashing algorithm is not to be confused with the hashing algorithm used to sign the certificate. The enrollment control currently supports any OID for hashing algorithms, plus the following display name values: SHA1 (the default), MD2, and MD5. When retrieving this property, the retrieved value is in OID format (that is, SHA1 appears as When setting this property, the corresponding OID format can be used as an alternative to the text shown for the defined friendly values.

The Certificate Enrollment Control considers the value of the HashAlgorithm property as a hint to the hashing algorithm to use for signing the PKCS #10 certification request. If the cryptographic service provider (CSP) supports the algorithm specified in the HashAlgorithm property, the algorithm will be used. Otherwise, the Certificate Enrollment Control will try to use SHA1. If SHA1 is not supported by the CSP, then MD5 will be tried. If neither SHA1 nor MD5 is supported, the Certificate Enrollment Control will try to use the first hashing algorithm returned from the CSP.

The HashAlgorithm property affects the behavior of the following methods:

If both the HashAlgID and HashAlgorithm properties are set, whichever is last updated will specify which hashing algorithm will be used to sign the PKCS #10 certification request.


BSTR     bstrHashAlg = NULL;

// get the hash algorithm
hr = pEnroll->get_HashAlgorithm( &bstrHashAlg );
if ( FAILED ( hr ) )
    printf("Failed get_HashAlgorithm - %x\n", hr );
    printf( "HashAlgorithm: %ws\n", bstrHashAlg );
// free BSTR
if ( NULL != bstrHashAlg )
    SysFreeString( bstrHashAlg);

BSTR    bstrMyHashAlg = SysAllocString(TEXT("MD5"));
// alternatively, ... = SysAllocString(TEXT("1.2.840.113549.1.1.4"));

// set the hash algorithm
hr = pEnroll->put_HashAlgorithm( bstrMyHashAlg );
if ( FAILED ( hr ) )
    printf("Failed put_HashAlgorithm - %x\n", hr );
    printf( "HashAlgorithm was set to %ws\n", bstrMyHashAlg );
// free BSTR
if ( NULL != bstrMyHashAlg )
    SysFreeString( bstrMyHashAlg);


Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

End of client support

Windows XP

End of server support

Windows Server 2003








IID_ICEnroll4 is defined as c1f1188a-2eb5-4a80-841b-7e729a356d90



© 2016 Microsoft