Create SHA-2 CSR on windows
Create SHA-2 CSR file
If you Are generating CSR and your CA will not accept it because its SHA-1 you should switch to SHA-2 but on some windows 2003, 2008, and 2012 servers default CSR will generate based on SHA-1,
So let’s do it manually:
In this guide, we are not going to use Open-SSL, and just in windows without any extra tools, we can Create SHA-2 CSR file.
To start:
RUN > MMC > FIle> Add Remove Snap-In… > Certificates > Add
(These screenshots got from windows server 2012 R2 but win 2003 and 2008 have the same steps)
Type MMC on RUN
From File> Add/Remove Snap-in…
Select Certificates from the left panel and click Add button
By clicking on Add button Certificate Snap-in window will pop up. Select Computer account(This choice is not very important)> Next
In the “Select Computer you want …” select Local Computer(the computer this console is running on) >Finish
in the “Add or Remove Snap-ins” window, select added Certificates snap-in and press OK.
Under Console Root select Personal> Certificates(right-click)> All Tasks> Advanced Operations> Create custom request…
In the Certificate Enrollment window select “Next”
Select Proceed without enrollment policy on Select Certificate Enrollment Policy page> Next
in Custom request windows select (No Template)CNG key and PKCS#10 format and select Next
Certificate Enrollment Click Details
After clicking Details properties will appear to select it.
In Certificate Properties > General tab for friendly name add the domain you need SSL for that for example if you are creating CSR for www.day.ir type this on Description and friendly name.
Certificate properties Subject tab Type Value
In certificate properties Subject tab on Subject name from the left panel under Type select the types your CA needs from you. usually, the item I introduce to you are necessary, after selecting the item should fill the value and Add to the right panel, the item you may need:
Common name: CN is your domain name for example CN=www.day.ir
Organization: O is your company name: for example O=Day Telecom
Organization Unit OU is the name of the unit in your company that is related to SSL for example OU= Security or OU=IT Dept
Locality: L your city for example L=Tehran
State: S your State in your country for example S=Tehran
Country: C for example C=IRAN
Email: E your email on the certificate for example E=webmaster@domain
You cal also have SAN Subject Alternative Name if your issuer CA supports it. for example, if you don’t add www on the Alternative Name your SSL will not cover https://www.yourdomain.com and it will just use http://yourdomain.com
This part is why we are here, in the Private Key tab select Key Options and change Key size to 2048 or bigger. On “Select Hash Algorithm” change Hash Algorithm to sha256 click OK and Next.
Selecting Make private key exportable will help to backup the installed certificate in the future for a move to a new server or any problem
Where do you want to save the offline request? select destination and from file format select Base 64> Finish.
Now you can check your SHA-2 CSR file online
If you like to redirect http to https you may need to check this guide:
https://day.ir/blog/en/redirect-http-to-https-ssl-windows-url-rewrite/
How do i add that CSR to server?
Very helpful, thanks! Good guide and screenshots, this is exactly what I was looking for.
Hi, when improting a certificate an error happens.
I really appreciate your help
you don’t need to add CSR to the server, it’s for CA, and you should send it to CA, then you will get your certificate and can import it to the server.
Thanks, it was helpful.
Appreciate that
easy pizy
That is a very good tip.