Before you begin
its important to check your environment readiness for Sha-2 especially the devices and the operation system
please check SHA-2 Certificate Compatibility for you environment
Create CSR for SHA-2 Algorithm
From the Computer/Server that you want to apply the certificate
- Type MMC in Run
- In MMC console click File >> Add/Remove snap-in
- Choose Certificate >> Add >> Computer >> Local Computer
- Click Next
- Go to Personal Store >> Certificate >> Right Click a All Tasks a Advanced Operations a Create Custom Request
- Choose Custom Request Proceed without enrollment policy
- Chose the Certificate Template (No template) CNG Key
- Request Format : PKCS#10
the Cryptography Next Generation (CNG Key) will allow us to be able to change the Algorithm to SHA-2
- Click Next
- Click on Details >> Properties
Edit and Modify Certificate Properties
General Tab
- Type Certificate Friendly name , and Description
Subject Tab
Subject Name
Add the Following Subject Name Types
- Common Name (CN)
main certificate name , for example (mail.msmuscle.net)
- Country (C)
Country Code ex: Jordan = JO
- Locality (L), Organization (O), Organization Unit (OU), State (S)
Alternative Name
To Add Subject Alternative Name (SAN) , add the following Type:
- DNS
Subject alternative name for your certificate ex: autodiscover.msmuscle.net
Extensions Tab
Key usage
- add the Key usage for your certificate
- check Make these key usage critical
example : for exchange server and lync server (Digital signature, key encipherment)
Extended Key Usage (application Policies)
Defines the purpose of the certificate , and how the certificate can be use
- for exchange and lync server (Server Authentication, Client Authentication)
Private Key Tab
Key options
set the key length and make the private key exportable
- Change key size to 2048
- Check Make private key exportable
Select Hash Algorithm
select the Algorithm for your request
- Change Hash Algorithm to sha256
-
Finally, Click OK
- then Click NEXT
- save the requisite file to you local computer. File format Base 64
- Click Finish
Now the requisite with Sha-2 Algorithm is ready for your Certificate
To Issue the Certificate from the request file
- Public Certificate : send the request file to your Public Certificate Issuer
- Local Certificate : Issue/Signing certificate using Certificate Authority (CA)
Post tasks:
- Lync Server : you have to modify the Certificate to apply successfully , because the CNG key compatibility , modify your certificate
To verify your request file if its sha-2 or not.
use this LINK from symantec
open the File using notepad , copy and past your request file content and check
Add a Comment