IEnroll4::HashAlgorithmWStr property

[This property is no longer available for use as of Windows Server 2008 and Windows Vista.]

The HashAlgorithmWStr property sets or retrieves only the signature hashing algorithm used to sign the PKCS #10 certification request.

This property was first defined in the IEnroll interface.

This property is read/write.


HRESULT put_HashAlgorithmWStr(
  [in]  LPWSTR szwHashAlg

HRESULT get_HashAlgorithmWStr(
  [out] LPWSTR *pszwHashAlg

Property value

A pointer to a null-terminated wide character string that contains the hash algorithm. The string can be any object identifier (OID) for a hashing algorithm. The following list shows some possible values. The default value is "SHA1".

  • "SHA1"
  • "MD2"
  • "MD5"

Error codes

If the property access methods put_HashAlgorithmWStr and get_HashAlgorithmWStr succeed, they return S_OK.

Any other HRESULT value indicates that the call failed.


This signature hashing algorithm is not to be confused with the hashing algorithm used to sign the certificate. The enrollment control currently supports any OID for hashing algorithms, plus the following display name values: SHA1 (the default), MD2, and MD5. When retrieving this property, the retrieved value is in OID format (that is, SHA1 appears as When setting this property, the corresponding OID format can be used as an alternative to the text shown for the defined friendly values.

The Certificate Enrollment Control considers the value of the HashAlgorithmWStr property as a hint to the hashing algorithm to use for signing the PKCS #10 certification request. If the cryptographic service provider (CSP) supports the algorithm specified in the HashAlgorithmWStr property, the algorithm will be used. Otherwise, the Certificate Enrollment Control will try to use SHA1. If SHA1 is not supported by the CSP, then MD5 will be tried. If neither SHA1 nor MD5 is supported, the Certificate Enrollment Control will try to use the first hashing algorithm returned from the CSP.

The HashAlgorithmWStr property affects the behavior of the following methods:

If both the HashAlgID and HashAlgorithmWStr properties are set, whichever is last updated will specify which hashing algorithm will be used to sign the PKCS #10 certification request.


Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

End of client support

Windows XP

End of server support

Windows Server 2003








IID_IEnroll4 is defined as f8053fe5-78f4-448f-a0db-41d61b73446b

See also