[hstrauss]

For Windows XP and Server 2003, there is a hotfix: http://support.microsoft.com/kb/968730

This enables SHA-2 certificates. Deployment of the patch is another problem, since it's a HotFix (which may have enterprise-QA issues) and not intended for general use, AFAIK. Still, I've been using it since WS2008 originally came out.

[Gregordinary]

The hotfix KB 968730 for Server 2003 includes updates from hotfix KB 938397. An important thing to note from KB 938397 is that "KB 938397 will bring Windows Server 2003 to the same level of functionality as Windows XP with Service Pack 3." [1]

What that translates to is that it only gives Server 2003 SHA2 support as a client, not as a server. I.e. You can connect to sites that are using SHA2 certs, but you cannot bind a SHA2 cert to your own website in IIS 6/Server 2003.

So once SHA1 is completely deprecated, those hosting sites or legacy apps on Windows Server 2003 will not be able to upgrade to SHA2 certs.

[1] http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-w...

[yuhong]

Luckily, MS stripped the GDR branch from all XP/Server 2003 patches one year before XP went out of support, and https://support.microsoft.com/kb/2868626 was released after that was done.