Remove From My Forums

[Exchange 2010] Obtaining an SHA-2 Certificate (What do I need?)

Question
0

Sign in to vote
I am running Exchange 2010 on Windows Server 2008 R2 Enterprise - Service Pack 1.

I need to renew a security certificate for exchange 2010, but I need to make sure that it can use SHA-2.

I found some information that said you need to install patch KB 2949927 for Windows Server 2008 R2, but that was revoked by Microsoft because of BSOD errors, but then I can't find anything else. This was released and revoked in October 2014.

1) What do I need to be able to have my exchange 2010 use a SHA-2 based cert instead of the old SHA-1.

A) Is it compatible with exchange 2010?

B) Do I need any patches like KB2949927 to make this happen and if so, how do I obtain this patch that Microsoft revoked?

2) What do I need to do to be able to create an SHA-2 certificate? Do I need to create a CSR that allows for SHA-2?

NOTE: I understand the process, you create a CSR and a KEY file on the computer that you are going to install the certificate from and then take the CSR and provide it to your Certificate Authority and they give you back a .crt and you take that file and the key and use them both to secure the server. I am just not sure about the SHA-2 part.

Please enlighten me.
- Moved by Jason Johnston [MSFT]Microsoft employee Wednesday, May 27, 2015 5:49 PM Not a development question.
- Edited by Timothy Stone2 Wednesday, May 27, 2015 5:51 PM
Wednesday, May 27, 2015 5:29 PM

Answers

0

Sign in to vote
You need a certificate from virtually any public certificate vendor. It will be an X.509v3 certificate. Any of these will support the SHA-2 hash.

Exchange will use whatever the underlying operating system or email client is using, so if you want to lock it down to SHA-2, you need to do that on your operating system. For information on this, check the following:

http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
Will Martin ...
-join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })
- Proposed as answer by Winnie LiangMicrosoft contingent staff, Moderator Thursday, May 28, 2015 8:13 AM
- Marked as answer by Winnie LiangMicrosoft contingent staff, Moderator Wednesday, June 10, 2015 2:09 AM
Wednesday, May 27, 2015 6:30 PM
0

Sign in to vote
Hi,

We can create the certificate signing request using the Certificates MMC and then creating a custom request with specified Hash algorithm SHA256 as follows:

1. Open MMC.exe. Click File > Add/Remove snap in…

2. In the Available snap-ins tab, select Certificates > Add > Computer account > Local computer > Finish.

3. Expand Certificates (Local Computer) > Personal > Certificates.

4. In Action pane, click More Actions > All Tasks > Advanced operations > Create custom request.

5. click Next > Proceed without enrollment policy > Next > Next.

6. In Certificate Information page, open Details > Properties.

7. Then you can fill in the needed information for your request.

8. In Private Key tab, expand Select Hash Algorithm, set the Hash Algorithm to sha256.

9. Click OK > Next. Fill in File Name and select the request location.

10. Finish it and send this request to the certificate authority.

Regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
Winnie Liang
TechNet Community Support
- Marked as answer by Winnie LiangMicrosoft contingent staff, Moderator Wednesday, June 10, 2015 2:09 AM
Thursday, May 28, 2015 8:13 AM

Moderator

All replies

0

Sign in to vote
You need a certificate from virtually any public certificate vendor. It will be an X.509v3 certificate. Any of these will support the SHA-2 hash.

Exchange will use whatever the underlying operating system or email client is using, so if you want to lock it down to SHA-2, you need to do that on your operating system. For information on this, check the following:

http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
Will Martin ...
-join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })
- Proposed as answer by Winnie LiangMicrosoft contingent staff, Moderator Thursday, May 28, 2015 8:13 AM
- Marked as answer by Winnie LiangMicrosoft contingent staff, Moderator Wednesday, June 10, 2015 2:09 AM
Wednesday, May 27, 2015 6:30 PM
0

Sign in to vote
Hi,

We can create the certificate signing request using the Certificates MMC and then creating a custom request with specified Hash algorithm SHA256 as follows:

1. Open MMC.exe. Click File > Add/Remove snap in…

2. In the Available snap-ins tab, select Certificates > Add > Computer account > Local computer > Finish.

3. Expand Certificates (Local Computer) > Personal > Certificates.

4. In Action pane, click More Actions > All Tasks > Advanced operations > Create custom request.

5. click Next > Proceed without enrollment policy > Next > Next.

6. In Certificate Information page, open Details > Properties.

7. Then you can fill in the needed information for your request.

8. In Private Key tab, expand Select Hash Algorithm, set the Hash Algorithm to sha256.

9. Click OK > Next. Fill in File Name and select the request location.

10. Finish it and send this request to the certificate authority.

Regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
Winnie Liang
TechNet Community Support
- Marked as answer by Winnie LiangMicrosoft contingent staff, Moderator Wednesday, June 10, 2015 2:09 AM
Thursday, May 28, 2015 8:13 AM

Moderator
0

Sign in to vote

So, I have a question.... I am using an CA and not doing self signing nor code signing.

1) The first answer said basically you don't have to do anything to get SHA-2 or SHA256 other than just ask your CA for that specific version SHA-2. I have Windows Server 2008 R2 with all of the latest patches.

2) Then your second answer makes a CSR that is set for SHA-2 or SHA256 (so I am confused).

Which answer is the correct one?

In one case the CSR generated doesn't matter, but in the second case it does matter.

Thursday, May 28, 2015 3:27 PM
0

Sign in to vote

The second answer is creating a certificate that is specifically available for the SHA256 hash. The first is general and can be used with many encryption algorithms - including SHA-2.
Will Martin ...
-join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

Thursday, May 28, 2015 4:47 PM
0

Sign in to vote

So, I get it now. The issue "should" be going away in the near future (a year or two) because SHA-1 will no longer be supported. So starting next year in 2016, if you get a brand new certificate it will be SHA-2 by default and no longer SHA-1.

However, as of right now if I use the generic version of a CSR, can I email my CA and make sure they deliver a SHA-2 certificate?

Thursday, May 28, 2015 8:15 PM
0

Sign in to vote

Yes. You can also configure your system so it won't allow SHA-1, if that is a goal. For that, you can disable SHA-1 the same way the following WindowsITPro article suggests for disabling RC4: http://windowsitpro.com/windows/disabling-rc4-cipher
Will Martin ...
-join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

Friday, May 29, 2015 1:14 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

[Exchange 2010] Obtaining an SHA-2 Certificate (What do I need?)

Question

Answers

All replies