locked
How to create a SHA256 SAN Certificate for Exchange RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Dear.

    When using the command as described below to create a SAN Certificate for Exchange, only SHA1 certificate requests are created. How can I create the same request but for SHA256?

    It seems that it's not possible to do this through the New-exchangecertificate.

    Do you know the alternative command when using certreq for the following Exchange command:

    New-ExchangeCertificate -PrivateKeyExportable:$true -FriendlyName 'mail.domain.com' -SubjectName 'C=NL,S="aaaa",L="bbbb",O="cccc",OU="dddd",CN=mail.domain.com' -DomainName @('mail.domain.com','exchange.wps.domain.com','webmail.domain.com','ews.domain.com','as.domain.com','oa.domain.com','oab.domain.com','ps.wps.domain.com','autodiscover.domain.com') -RequestFile '\\10.0.6.151\c$\temp\certificate_Request.req' -GenerateRequest:$true -KeySize '2048' 

    Thanks for the feedback.
    Regards.
    Peter

    Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

    Monday, November 3, 2014 4:03 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Peter,

    There is no parameter in New-ExchangeCertificate to select the Algorithm type (Secure Hash Algorithm (SHA)) to generate request. Personal opinion, we can create the certificate signing request using the Certificates MMC and then creating a custom request as follows:

    1. Open MMC.exe. Click File > Add/Remove snap in

    2. In the Available snap-ins tab, select Certificates > Add > Computer account > Local computer > Finish.

    3. Expand Certificates (Local Computer) > Personal > Certificates.

    4. In Action pane, click More Actions > All Tasks > Advanced operations > Create custom request.

    5. click Next > Proceed without enrollment policy > Next > Next.

    6. In Certificate Information page, click Details > Properties.

    7. Then you can fill in the needed information for your request.

    8. In Private Key tab, expand Select Hash Algorithm, set the Hash Algorithm to sha256.

    9. Click OK > Next. Fill in File Name and select the request location.

    10. Finish it and send this request to the certificate authority.

    Regards,

    Winnie Liang
    TechNet Community Support

    Tuesday, November 4, 2014 9:14 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    You can only select hash algorithm if you create a CNG (suite B) request, however Exchange don't like CNG (yet), so you need to stay with legacy provider for now. That don't prevent your certificate to be signed by a SHA256 or greater CA.

    Bruce Jourdain de Coutance - Consultant MVP Exchange http://blog.brucejdc.fr

    Monday, November 10, 2014 8:49 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Peter,

    There is no parameter in New-ExchangeCertificate to select the Algorithm type (Secure Hash Algorithm (SHA)) to generate request. Personal opinion, we can create the certificate signing request using the Certificates MMC and then creating a custom request as follows:

    1. Open MMC.exe. Click File > Add/Remove snap in

    2. In the Available snap-ins tab, select Certificates > Add > Computer account > Local computer > Finish.

    3. Expand Certificates (Local Computer) > Personal > Certificates.

    4. In Action pane, click More Actions > All Tasks > Advanced operations > Create custom request.

    5. click Next > Proceed without enrollment policy > Next > Next.

    6. In Certificate Information page, click Details > Properties.

    7. Then you can fill in the needed information for your request.

    8. In Private Key tab, expand Select Hash Algorithm, set the Hash Algorithm to sha256.

    9. Click OK > Next. Fill in File Name and select the request location.

    10. Finish it and send this request to the certificate authority.

    Regards,

    Winnie Liang
    TechNet Community Support

    Tuesday, November 4, 2014 9:14 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Dear.

    I don't have the Hash Algorithm option. What OS version does your CA runs on?

    Regards.
    Peter

    Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

    Tuesday, November 4, 2014 11:14 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Peter,

    Sorry for my delay. My OS is Windows Server 2008 R2 Enterprise SP1. The steps in my original posting are about how to generate a certificate request which is using sha256 as the Hash Algorithm.

    Then we can submit the request to the CA:

    Regards,

    Winnie Liang
    TechNet Community Support

    Monday, November 10, 2014 3:14 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    You can only select hash algorithm if you create a CNG (suite B) request, however Exchange don't like CNG (yet), so you need to stay with legacy provider for now. That don't prevent your certificate to be signed by a SHA256 or greater CA.

    Bruce Jourdain de Coutance - Consultant MVP Exchange http://blog.brucejdc.fr

    Monday, November 10, 2014 8:49 AM