SHA-2 Request CSR

Before you begin

its important to check your environment readiness for Sha-2 especially the devices and the operation system

please check SHA-2 Certificate Compatibility for you environment

Create CSR for SHA-2 Algorithm

From the Computer/Server that you want to apply the certificate

  • Type MMC in Run17
  • In MMC console click File >> Add/Remove snap-in
  • Choose Certificate >> Add >>  Computer >> Local Computer18
  • Click Next
  • Go to Personal Store >> Certificate >> Right Click a All Tasks a Advanced Operations a Create Custom Request1
  • Choose Custom Request Proceed without enrollment policy2
  • Chose the Certificate Template (No template) CNG Key
  • Request Format : PKCS#10

the Cryptography Next Generation (CNG Key) will allow us to be able to change the Algorithm to SHA-2


  • 3
  • Click Next
  • Click on Details  >> Properties 4

Edit and Modify Certificate Properties

General Tab

  • Type Certificate Friendly name , and Description 5

Subject Tab

Subject Name

Add the Following Subject Name Types

  • Common Name (CN)

main certificate name , for example (

  • Country (C)

Country Code ex: Jordan = JO

  • Locality (L),  Organization (O),  Organization Unit (OU),  State (S)

Alternative Name

To Add Subject Alternative Name (SAN) , add the following Type:

  • DNS

Subject alternative name for your certificate ex:


Extensions Tab

Key usage

  • add the Key usage for your certificate
  • check Make these key usage critical

example : for exchange server and lync server  (Digital signature, key encipherment)


Extended Key Usage (application Policies)

Defines the purpose of the certificate , and how the certificate can be use

  • for exchange and lync server (Server Authentication, Client Authentication)


Private Key Tab

Key options

set the key length  and make the private key exportable

  • Change key size to 2048 
  • Check Make private key exportable


Select Hash Algorithm

select the Algorithm for your request

  • Change Hash Algorithm to sha256


  • Finally, Click OK

  • then Click NEXT


  • save the requisite file to you local computer. File format Base 64
  • Click Finish


Now the requisite with Sha-2 Algorithm is ready for your Certificate


To Issue the Certificate from the request file

  • Public Certificate : send the request file to your Public Certificate Issuer
  • Local Certificate : Issue/Signing certificate using Certificate Authority (CA)

Post tasks:

  • Lync Server : you have to modify the Certificate to apply successfully , because the CNG key compatibility , modify your certificate

To verify your request  file  if its sha-2 or not.

use this LINK  from symantec

open the File using notepad , copy and past your request file content and check


Tags: No tags

Add a Comment

Your email address will not be published. Required fields are marked *