Does Windows Server 2012 R2 really support only one server signature algorithm?

I'm neither a windows expert nor an information security expert. Recently I inherited some Windows server 2012 R2 hosts that I have to manage. For reasons explained in this other post I realized (using sslscan with the --show-sigs option against the winrm port 5986) that all those hosts only support one Server Signature Algorithm, namely rsa_pkcs1-sha1 (see screenshot below).

• Is it true that this is the only supported Server Signature Algorithm in Windows Server 2012 R2?
• Is it possible to add more algorithms to the list? If yes, how?

I don't believe this has anything to do with Windows operating system version. WinRM on the server you are scanning is configured to use a specific certificate for HTTPS. The certificate which is configured was create using SHA-1 algorithm. So what you need to do is to get a new certificate and then configure WinRM to use it.

It might be worth checking if a suitable certificate is already installed on the server, so you might not even need to request a new one.

Another thing to consider is that changes like that might break some older scripts or apps, which for some reason would not accept new certificate. So proper testing and rollback plan is in order.

• To check current WinRM configuration, run winrm enumerate winrm/config/listener on the server

• To check for installed certificates, use MMC.EXE and add Certificates snap-in

• For step by step actions, take a look at https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-winrm-for-https The article is for Windows 10, so some commands might differ, but the concept is the same