none
How to generate a CSR in IIS 7.5 with SHA2 algorithm

    Question

  • Hello,

    Is it possible to generate a CSR in IIS 7.5 using SHA2 encryption algorithm.

    We used to create the CSR using Microsoft RSA Schannel Crytographic Provider or Microsoft DH Schannel Crytographic Provider. Is it possible to have SHA2 encryption algorithm there while generating the CSR.

    Note: I don't want it to be done using Open SSL. 

    I have generated CSR earlier in IIS 7.5 but I am not sure if they use SHA2 encryption algorithm.

    Thanks and Regards,

    Pavan

    Wednesday, September 24, 2014 9:50 AM

Answers

All replies

  • you don't need to specify SHA2 signature algorithm in the request. Instead, you need to configure CA server to sign certificates by using SHA2 signature. 2 days ago I wrote a blog post about SHA2 which includes some theoretical information and guidance to move ADCS servers to use SHA2 signature algorithm: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=134

    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell FCIV tool.

    Wednesday, September 24, 2014 11:09 AM
  • Hello,

    Thank you for your reply.

    I understood the background behind this reading your blog.

    I asked this question as we don't install the SSL certificate generated using the CSR on the server hosting the website, instead we install it on the Elastic Load Balancer service provided by Amazon web services.

    We create the CSR using IIS and our client wants the request to be in SHA2 signature algorithm.

    Is there a solution in IIS to generate request using SHA2 signature algorithm?

    Regards,
    Pavan

    Wednesday, September 24, 2014 12:19 PM
  • Just to clarify, you need the request to be signed with SHA2?

    In this case, there is no way to accomplish this in IIS manager console. Instead, you have to use certreq.exe tool with templated INF file where you will add the entry "SignatureAlgorithm = SHA256"


    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell FCIV tool.


    Wednesday, September 24, 2014 12:34 PM
  • Hello,

    Yes, you are right we need request to be signed with SHA2 algorithm.

    I got your point. Thank you very much for you response.

    I will get back in case I need further assistance on this.

    Cheers,

    Pavan

    Wednesday, September 24, 2014 1:57 PM
  • Are there any other special settings necessary for CertReq to function with IIS vs a Cert to be used with LDAP for example?
    Tuesday, November 25, 2014 4:11 PM
  • You don't need to use certreq with any config files.  This is a very important task that every web site owner with an SSL cert should be aware of, and i'm surprised at the lack of information out there for IIS admins

    There is a very good article with instructions on using the certificate management console.

    https://myexchangelync.wordpress.com/2014/12/14/create-a-csr-with-sha256-signature-algorithm/

    thanks to the author Kotteeswaran.  My only addition is that the country should be specified as a 2-digit ISO country code. 


    Sunday, July 05, 2015 6:50 PM
  • Well Tim.Mackey,

    I'd followed your URL above but I cannot success.

    Because my Organization name contain with ',' (comma) like Co.,Ltd.

    I'd tried with quote "XXX Co.,Ltd." but CSR invalid and become "XXX Co.;Ltd."

    Any Solution?

    PS. Forgive my English :(


    Thursday, August 06, 2015 8:15 PM
  • This Article may help:

    To start:RUN > MMC > FIle> Add Remove Snap -In... > Certificates > Add (This screen shots are from windows server 2012 R2 but win 2003 and 2008 have same steps)

    http://day.ir/en-us/articles/ssl/create-csr-sha2-algorithm

    Sunday, January 17, 2016 2:47 PM
  • There is 2 ways to create SHA256 (SHA-2) in windows 

    1- OPenSSL

    2- windows Snap-in console
    The second method is very easy and works on all windows serevrs 2003, 2008 , 2012 and XP, 7 to 10
    RUN > MMC > FIle> Add Remove Snap -In... > Certificates > Add
    Personal> Certificates(right click)> All Tasks> Advanced Operations> Create custom request

    check this guide: 

    How to create SHA2 CSR on windows server
    http://day.ir/en-us/articles/ssl/create-csr-sha2-algorithm

    sha256

    Wednesday, January 20, 2016 6:58 PM
  • Step-2 is simple, used that and got a certificate now.

    How to import this certificate in IIS and Bind to a website ? Since this CSR was not created using IIS.

    Tuesday, February 02, 2016 1:22 PM
  • Just to clarify, you need the request to be signed with SHA2?

    In this case, there is no way to accomplish this in IIS manager console. Instead, you have to use certreq.exe tool with templated INF file where you will add the entry "SignatureAlgorithm = SHA256"


    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell FCIV tool.


    I'd be interested in an example of the INF file. every time i've tried this particular method is has failed for me for one reason or another.

    I asked this question on another community and no one had a proper answer for me.

    https://community.spiceworks.com/topic/798644-sha2-certificate-requests-iis?page=1#entry-6534937

    More worryingly... is that if this is becoming more and more of a necessity why is it that it cannot be done off the bat (figuratively speaking)


    Regards Carlos Ferreira

    Wednesday, January 11, 2017 2:34 PM