Exchange certificates and SHA256

Hi All,

I need to deploy a SAN certificate for Exchange 2013 using SHA256 as a signing algorithm, the structure has an internal standalone CA. I have been looking around and these are my findings:

1. If you create a CSR request from Exchange it will create an SHA1 request

2. You can create a SHA256 request from Windows certificates mmc using CNG but then OWA and ECP won't work because Exchange 2013 doesn't support CNG keys

Now I was about to:

A. change the signing algorithm on the CA

B. create a SHA256 request from a Linux machine using OpenSSL

I can't believe there's no other way using only MS products, but if there is I couldn't find it.

Any Idea?

Thanks

May 19th, 2015 6:33am

You should be able to use Exchange to make the CSR, and then tell your provider to create the cert with SHA2.

http://www.workingsysadmin.com/renewing-exchange-2013-certificates-sha-256-style/

Free Windows Admin Tool Kit Click here and download it now
May 19th, 2015 11:17am
I am my provider, as I said I have an internal sta
May 19th, 2015 11:24am
I am my provider, as I said I have an internal sta
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2015 11:55am
..no you can't, this would 'probably' happen if I change it as per my point "A" above or if you use CNG which Exchange does not sup
May 19th, 2015 12:07pm

Hi aperelli,

Have you tried to create a CSR request with SHA256?

Please refer to the following article:

Create a CSR with SHA256 signature algorithm

I had to submit a CSR file for renewing my Exchange 2010 internal CAS servers. But when I created a certificate request using Exchange PowerShell it creates with SHA1 by default. Then found a way to create a CSR with SHA256 using certificate management console. Just thought of sharing with you.

Best regards,

Free Windows Admin Tool Kit Click here and download it now
May 20th, 2015 4:35am

Hi Niko,

I have seen that article but peole around the web say that Exchange 2013 ECP and OWA won't work since Exchange 2013 doesn't support CNG keys on WS2012. Did you have any issue on Exchange 2010?

May 20th, 2015 4:50am

Just curious: Are you deploying 3rd party certs at all for external access? ( OWA, ActiveSync?) 

You really should be and in that case, the 3rd party cert provider will generate the cert in SHA-2 format.

If not using a 3rd party provider, why not? 

If these certs are for internal use only and are trusted in the forest, why the need to use a SHA-2 cert? Just wondering, not trying to be a pest  :)

Free Windows Admin Tool Kit Click here and download it now
May 20th, 2015 10:52am

eheh

All very goooood questions :)

I can't really answer. Please believe me this wasn't my

May 20th, 2015 11:28am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics