Hi all,

I'd like to renew the self-signed certificates using SHA256 within Exchange 2013 (EAC / Servers / Certificates / named: Microsoft Exchange,  Microsoft Exchange Server Auth Certificate and WMSVC). We have an internal vulnerability scanner complaining about the use of SHA-1 due to the recent finding. The externally facing SSL is using SHA256 but this was generated and signed outside of Exchange 2013, and simply imported.

I've tried this command but as this server doesn't have the CA role install it's not working:

certutil -setreg ca\csp\CNGHashAlgorithm SHA256

Error is: certutil -setreg command FAILED: 0x80070002 (win32: 2 error_file_not_found)

How can these self-signed certificates be renewed using SHA256?

Thanks

Chris

Until Microsoft changes the way Exchange generates the cert or gives you an option for SHA-2, I don't think there is any option for the self-signed cert.

Hi,

As what Andy says, there is no option in Exchange to generate a self-signed certificate using SHA256. Generate a custom request with SHA256 can be available and used for a non self-signed certificate:

https://social.technet.microsoft.com/Forums/en-US/54bf4bad-d662-40ef-87e6-4e2b553ee2d3/how-to-create-a-sha256-san-certificate-for-exchange?forum=excha

Regards,

Thanks for the input. 

Is there another way to replace these three certificates instead? Microsoft Exchange,  Microsoft Exchange Server Auth Certificate and WMSVC

It would be good to have everything SHA256, but if this isn't possible then we'll put this down as an accepted risk.

Chris

Thanks for the input. 

Is there another way to replace these three certificates instead? Microsoft Exchange,  Microsoft Exchange Server Auth Certificate and WMSVC

It would be good to have everything SHA256, but if this isn't possible then we'll put this down as an accepted risk.

Chris

Yea, I don't think you want to mess with those certs since Exchange Setup creates them. I would put it down as an accepted risk.  :)

Thought that would be the case. Thanks for the input all 

Chris