Creating SSL certificates with SHA256 on Windows with IIS

Posted on Apr 14, 2015 in Technical  | No comments

So I just went to renew our SSL certificates and I noticed that the Certificate Request generation process built into IIS only supports the (not very popular any more) SHA1 hash algorithm, with no mechanism provided to change to the better SHA256.

The process of completing this seemingly straight-forward task sent me through not less than three blog posts and a reference document for the certreq.exe tool so I thought I'd collect my findings in one place for the next time I need to do this.

According to Microsoft TechNet:

Certreq can be used to request certificates from a certification authority (CA), to retrieve a response to a previous request from a CA, to create a new request from an .inf file, to accept and install a response to a request, to construct a cross-certification or qualified subordination request from an existing CA certificate or request, and to sign a cross-certification or qualified subordination request.

Make yourself a nice, new directory somewhere and create a blank text file called new-ssl.inf.  In the file place the following contents:

[Version] 
Signature="$Windows NT$"

[NewRequest] 
Subject = "CN=<certificatecommonname>,OU=<organizationalunit>,O=<organizationname>,L=<location>,S=<state>,C=<countrycode>"
; For an empty subject use the following line instead or remove the Subject line entirely 
; Subject = 
KeySpec = 1                         ; AT_KEYEXCHANGE 
KeyLength = 2048                    ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384 
Exportable = TRUE                   ; Private key is not exportable 
MachineKeySet = TRUE                ; The key belongs to the local computer account 
SMIME = FALSE 
PrivateKeyArchive=FALSE
UserProtected=FALSE
UseExistingKeySet=FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
ProviderType = 12 
RequestType = PKCS10
KeyUsage = 0xA0                     ; Digital Signature, Key Encipherment 
HashAlgorithm = sha256

[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1

[Strings] 
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17" 
szOID_ENHANCED_KEY_USAGE = "2.5.29.37" 
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1" 
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"

[Extensions] 
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=<san1>&dns=<san2>" 
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"

[RequestAttributes] 
CertificateTemplate= WebServer

Important things to note in the above: 

  • You can have multiple Subject attributes in the NewRequest section to specify Subject Alternate Names.
  • I don't know why but it is recommended that SANs are also appended to the Extensions section.
  • The dotted numbers are constants that refer to the roles and services that are applicable for the certificate, you don't need to change them
  • The country code is a 2-letter code (in general) so for Australia it is "AU"
  • Everything to the right of the semi-colon is a comment (for that line)
  • The request type "PKCS10" is the one needed by our SSL authority but different values may be supported by different providers.  This one should work in most cases
  • A key length of 2048 is correct in most cases and is the most common at present
  • The CertificateTemplate didn't exist for me, and in fact causes a non-fatal error, I don't know where to get it from either; the reference in TechNet says it's optional so you can probably leave it off

Open a command prompt "as administrator" (i.e. elevated) and enter the following command:

C:\temp\ssl> certreq -New new-ssl.inf new-ssl-csr.txt

It seems to take quite a while to run for me, probably a minute. There was an error in the middle complaining that the "Certificate Template could not be found", but this did not affect the process or the result, and the parameter is optional so I believe there are no ill-effects from this problem.

The resulting file contains the text you need to provide to your SSL issuer - it is the Base64 encoded version of your request information and includes the "BEGIN" and "END" lines.  Copy/paste the entire contents of this file into the SSL issuer's web site when requested (or upload the file).  It is completely safe to do this, as there is no security-related information contained in the text block.

Your SSL issuer will then make you do a little song-and-dance to prove your identity.  Once you get to the end of that they should provide you with a similar (but obviously different) block of Base-64 encoded text.  Mine came in an email from the issuer.  Copy that block, including the "BEGIN" and "END" lines into a new text file in the same location as the request file we generated earlier, and call the file new-ssl-response.txt.

Note: THIS MUST BE DONE ON THE SAME MACHINE THAT THE REQUEST WAS CREATED ON OR IT WILL NOT WORK.  

See how I shouted that - don't get that bit wrong.

Open an elevated command prompt as before and enter the following command:

C:\install\ssl> certreq -Accept new-ssl-response.txt

This should create the certificate and install it into your Computer Certificate Store.  Click "Start" and type "Certificates" and select the program "Manage Computer Certificates" to open the MMC console and your certificate should be in the Local Computer's Personal store.  You can export it from there to a PFX file if you need to install it in other places.

One last thing, in the MMC console right-click the certificate and select Properties and set a Friendly Name - I used "*.ping-works.com.au (2015-2018)", but you can use "Fred" or "Simone" or anything you like really.  The friendly name makes it easier to spot in IIS Manager when you are setting Web Site Bindings.

Good luck future me coming back to find this in 3 years.