Remove From My Forums

How to generate a CSR in IIS 7.5 with SHA2 algorithm

Question
0

Sign in to vote

Hello,

Is it possible to generate a CSR in IIS 7.5 using SHA2 encryption algorithm.

We used to create the CSR using Microsoft RSA Schannel Crytographic Provider or Microsoft DH Schannel Crytographic Provider. Is it possible to have SHA2 encryption algorithm there while generating the CSR.

Note: I don't want it to be done using Open SSL.

I have generated CSR earlier in IIS 7.5 but I am not sure if they use SHA2 encryption algorithm.

Thanks and Regards,

Pavan

Wednesday, September 24, 2014 9:50 AM

Answers

0

Sign in to vote
Just to clarify, you need the request to be signed with SHA2?

In this case, there is no way to accomplish this in IIS manager console. Instead, you have to use certreq.exe tool with templated INF file where you will add the entry "SignatureAlgorithm = SHA256"

My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
- Edited by Vadims PodansMVP Wednesday, September 24, 2014 12:36 PM
- Proposed as answer by Elke Stangl Wednesday, October 1, 2014 9:49 PM
- Marked as answer by Amy Wang_ Tuesday, October 7, 2014 7:19 AM
Wednesday, September 24, 2014 12:34 PM

All replies

0

Sign in to vote

you don't need to specify SHA2 signature algorithm in the request. Instead, you need to configure CA server to sign certificates by using SHA2 signature. 2 days ago I wrote a blog post about SHA2 which includes some theoretical information and guidance to move ADCS servers to use SHA2 signature algorithm: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=134
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.

Wednesday, September 24, 2014 11:09 AM
0

Sign in to vote

Hello,

Thank you for your reply.

I understood the background behind this reading your blog.

I asked this question as we don't install the SSL certificate generated using the CSR on the server hosting the website, instead we install it on the Elastic Load Balancer service provided by Amazon web services.

We create the CSR using IIS and our client wants the request to be in SHA2 signature algorithm.

Is there a solution in IIS to generate request using SHA2 signature algorithm?

Regards,
Pavan

Wednesday, September 24, 2014 12:19 PM
0

Sign in to vote
Just to clarify, you need the request to be signed with SHA2?

In this case, there is no way to accomplish this in IIS manager console. Instead, you have to use certreq.exe tool with templated INF file where you will add the entry "SignatureAlgorithm = SHA256"

My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
- Edited by Vadims PodansMVP Wednesday, September 24, 2014 12:36 PM
- Proposed as answer by Elke Stangl Wednesday, October 1, 2014 9:49 PM
- Marked as answer by Amy Wang_ Tuesday, October 7, 2014 7:19 AM
Wednesday, September 24, 2014 12:34 PM
0

Sign in to vote

Hello,

Yes, you are right we need request to be signed with SHA2 algorithm.

I got your point. Thank you very much for you response.

I will get back in case I need further assistance on this.

Cheers,

Pavan

Wednesday, September 24, 2014 1:57 PM
0

Sign in to vote

Are there any other special settings necessary for CertReq to function with IIS vs a Cert to be used with LDAP for example?

Tuesday, November 25, 2014 4:11 PM
1

Sign in to vote
You don't need to use certreq with any config files. This is a very important task that every web site owner with an SSL cert should be aware of, and i'm surprised at the lack of information out there for IIS admins

There is a very good article with instructions on using the certificate management console.

https://myexchangelync.wordpress.com/2014/12/14/create-a-csr-with-sha256-signature-algorithm/

thanks to the author Kotteeswaran. My only addition is that the country should be specified as a 2-digit ISO country code.
- Proposed as answer by Maurice Leentvaar Thursday, July 9, 2015 7:11 AM
Sunday, July 5, 2015 6:50 PM
0

Sign in to vote
Well Tim.Mackey,

I'd followed your URL above but I cannot success.

Because my Organization name contain with ',' (comma) like Co.,Ltd.

I'd tried with quote "XXX Co.,Ltd." but CSR invalid and become "XXX Co.;Ltd."

Any Solution?

PS. Forgive my English :(
- Edited by Thatchai Winaiwat Thursday, August 6, 2015 8:21 PM
Thursday, August 6, 2015 8:15 PM
0

Sign in to vote

This Article may help:

To start:RUN > MMC > FIle> Add Remove Snap -In... > Certificates > Add (This screen shots are from windows server 2012 R2 but win 2003 and 2008 have same steps)

http://day.ir/en-us/articles/ssl/create-csr-sha2-algorithm

Sunday, January 17, 2016 2:47 PM
0

Sign in to vote

There is 2 ways to create SHA256 (SHA-2) in windows

1- OPenSSL

2- windows Snap-in console
The second method is very easy and works on all windows serevrs 2003, 2008 , 2012 and XP, 7 to 10
RUN > MMC > FIle> Add Remove Snap -In... > Certificates > Add
Personal> Certificates(right click)> All Tasks> Advanced Operations> Create custom request

check this guide:

How to create SHA2 CSR on windows server
http://day.ir/en-us/articles/ssl/create-csr-sha2-algorithm

Wednesday, January 20, 2016 6:58 PM
1

Sign in to vote

Step-2 is simple, used that and got a certificate now.

How to import this certificate in IIS and Bind to a website ? Since this CSR was not created using IIS.

Tuesday, February 2, 2016 1:22 PM
0

Sign in to vote

Just to clarify, you need the request to be signed with SHA2?

In this case, there is no way to accomplish this in IIS manager console. Instead, you have to use certreq.exe tool with templated INF file where you will add the entry "SignatureAlgorithm = SHA256"

My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.

I'd be interested in an example of the INF file. every time i've tried this particular method is has failed for me for one reason or another.

I asked this question on another community and no one had a proper answer for me.

https://community.spiceworks.com/topic/798644-sha2-certificate-requests-iis?page=1#entry-6534937

More worryingly... is that if this is becoming more and more of a necessity why is it that it cannot be done off the bat (figuratively speaking)
Regards Carlos Ferreira

Wednesday, January 11, 2017 2:34 PM
0

Sign in to vote

Hello ,

I am currently trying to generate a cert req but oddly the Select Hash Algorithm option is not present , is there a reliance on the server OS or MMC version for this option to be available within the private key tab ?

thanks ,

Tuesday, May 29, 2018 8:04 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

How to generate a CSR in IIS 7.5 with SHA2 algorithm

Question

Answers

All replies