How to create SHA2 CSR on windows server



Code: 10717 Publish date: 2015/12/22
How to create SHA2 CSR on windows server

How to create SHA-2 CSR file on windows server to request SSL cert.

If you generate CSR and your CA will not accept because its SHA-1 you should switch to SHA-2 but on some windows 2003, 2008 and 2012 server default CSR will generate based on SHA-1, so lets do it manual:

In this guide I did not used Open-SSL and just in windows without any extra tools we can create SHA-2 CSR file.

To start:

RUN > MMC > FIle> Add Remove Snap -In... > Certificates > Add
(This screen shots are from windows server 2012 R2 but win 2003 and 2008 have same steps)

Type MMC on RUN

File> Add/Remove Snap-in
From File> Add/Remove Snap-in...

Select Certificates
Select Certificates from left panel and click Add button

Certificate Snap-in
By click on Add button Certificate Snap-in window will pop-up. Select Computer account > Next

computer this console is running on
In Select Computer window select Local Computer(the computer this console is running on) >Finish

select added Certificates snap-in
in Add or Remove Snap-ins window select added Certificates snap-in and press OK.

Personal-Certificates-right click- All Tasks-Advanced Operations- Create custom request
Under Console Root select Personal> Certificates(right click)> All Tasks> Advanced Operations> Create custom request...

Certificate Enrollment window
In Certificate Enrollment window select Next

Proceed without enrollment policy - Select Certificate Enrollment Policy
Select Proceed without enrollment policy on Select Certificate Enrollment Policy page> Next

Custom request windows select No TemplateCNG key and PKCS#10 format
in Custom request windows select (No Template)CNG key and PKCS#10 format and select Next

Certificate Information page select Details
In Certificate Information page select Details to expand box

Certificate Information Properties
After clicking Details properties will appear select it.

Certificate Properties General tab
In Certificate Properties > General tab for friendly name add domain you need SSL for that for example if you are creating CSR for type this on Description and friendly name.

certificate properties Subject tab Type Value
In certificate properties Subject tab on Subject name from left panel under Type select the types your CA need from you. usually the item I introducing you are necessary, after selecting item should fill value and Add to right panel, the item you may need:
Common name: CN is your domain name for example
Organization: O is your company name: for example O=Day Telecom
Organization Unit OU is name of unit in your company that related to SSL for example: OU= Secutiry or OU=IT Dept
Locality: L your city for example L=Tehran
State: S your State in your country for example: S=Tehran
Country: C for example C=IRAN
Email: E your email on certificate for example E=webmaster@domain

You cal also have SAN Subject Alternative Name if your  issuer CA support it.for example if you don't add www on Alternative Name your SSL will not cover and it will just use for

Hash Algorithm to sha256 Key size 2048 4096 win 2012
This part is why we are here, in Private Key tab select Key Options and change Key size to 2048 or bigger.On Select Hash Algorithm change Hash Algorithm to sha256 click OK and Next.
Selecting Make private key exportable will help to backup installed certificate in future for move to new server or any problem

save the offline request base64 format certificate enrollment
Where do you want to save the offline request? select destination and from file format select Base 64> Finish.
Now you can check your CSR on:

  • Author: Amir Javidan
Resource: DayTelecom
Resource URL: