Create certificate request with SHA256 on IIS 7

Create certificate request with SHA256 on IIS 7

Creating a CSR (or Certificate Singing Request) on an IIS 7 is pretty straight forward, but you end up with a request which uses the old SHA1 hashing method. Your certificate request will work, but the end result will be that your site might be vulnerable to SSL/TLS related attacks.

So how to create a CSR that uses the SHA256 algorithm?
All the information bellow can be found on ServerFault.

First make a request.inf file. (Just use a text editor and then change the extension to inf).

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=fully.qualified.domain.name, OU=Organizational Unit, O=Company, L=City, S=State, C=Country"
KeySpec = 1
KeyLength = 4096
HashAlgorithm = SHA256
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
RequestType = PKCS10
KeyUsage = 0xa0
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
FriendlyName = ""

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[RequestAttributes]
CertificateTemplate = WebServer

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=example.com&"
_continue_ = "DNS=www.example.com&"
_continue_ = "DNS=secure.example.com"

Note: The “extensions” section is used to specify alternate DNS names. You can delete this section if you don’t need this.

Ok, save your file after you made sure everything is correct and start a new command window. Navigate to the folder where the .inf file is located and type:

certreq -new request.inf request.csr

Send this CSR file to your CA (Certificate Authority), and wait for the certificate…

Now to import and use it in IIS
Open a command window and type:

certreq -accept file-from-ca.cer

Now if everything went ok, you should be able to select this certificate in the “bindings” dialog box.

Certificate IIS 7

Note 2: You might be tempted to use a SHA512 hash (most of the information I found on this said this was overkill), but according to this site, IE might have some trouble with those hashes.

2 thoughts on “Create certificate request with SHA256 on IIS 7

  1. You have stated: “Your certificate request will work, but the end result will be that your site might be vulnerable to SSL/TLS related attacks.” That's not quite true. The signature used on the CSR as you submit it has nothing to do with the signature that the CA uses for their signature, does it? I do not believe there is any risk to using SHA1 for the CSR, so long as the CA uses SHA2 for their signature, since that's the one that will be all over your public certs.

  2. Isn't a CSR in essence just a self signed certificate that you give to your CA? Why would you chose a weak hash with that as it contains all your meta data. I'm not very familiar with the CA side of the “story” but I wonder if they don't just use the hashing method the CSR was made with? Maybe they can change it afterwards (I would probably presume so).

    Edit: Ok after some quick google'ing: http://security.stackexchange.com/questions/65271/can-a-csr-be-created-in-openssl-with-sha2
    The comments state that a CA will use it's own hash, but some seem to respect the hash the CSR was made with.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.