How to generate a SHA256 certificate and How to install SHA256 certificate in IIS

Hi all, Today I am going to discuss about a quite interesting topic, How to generate a SHA256 certificate and How to install SHA256 certificate in IIS. I had tried a lot to achieve this and finally I did it, I hope my findings and solutions will helps those who are troubling to create a SHA256 certificate and protect a site with SHA256 certificate.

As a first step let me tell you , we can not generate SHA256 only with the help of IIS (IIS will only generate a certificate using an SHA1 hash). and better to try with 2008 server and above.
please go through the steps to generate SHA256 certificate.

1) download and install OpenSSL from Shining Light. while installing please remember the path(Here my installation path is c:\OpenSSL-Win32)
2) Create a folder in any location (My folder location is C:\OpenSSL).
3) open command prompt[cmd] exicute the below given command.
set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
4)Generate your Certificate request (CSR), specifying an SHA256 signature hash . Execute the below given command.[point in to the OpenSSL installation folder\bin (C:\OpenSSL-Win32\bin)]
openssl req -nodes -sha256 -newkey rsa:2048 -keyout C:\OpenSSL\PrivateKey.key -out C:\OpenSSL\CertificateRequest.csr
5)You’ll be prompted for a few certificate fields , enter those feilds as they come up.
6)This will generate two files – 1) PrivateKey.key (which contains the un-encrypted version of your private key – protect this file, as somebody who obtains it along with your signed public key can impersonate you) 2) CertificateRequest.csr (your certificate signing request, which is not sensitive).
7) Just check what hash algorithm is currently used, execute this below given command
certutil -getreg ca\csp\CNGHashAlgorithm
if this returns SHA256, skip to step 9.
8) By default the above should return SHA1. Run this below given command to configure the CA to use SHA256 for CNG hashes.
certutil -setreg ca\csp\CNGHashAlgorithm SHA256.
9) Restart Certificate Services:
net stop CertSvc && net start CertSvc

10) Execute the steps no 7 and make sure that, the current HashAlgorithm is SHA256 .
11) Go to your bowser, open http://localhost/CertSrv -> Click on Request a certificate







12) Then Click on Advanced certificate request.








13) Then Click on the Second link as given below.3

14) Go to the folder where the CertificateRequest.csr is located [C:\OpenSSL]. Open the file CertificateRequest.csr in a notepad and copy the encoded value.
15) Go back to the browser, paste your copied encoded values in to the Base-64-encoded certificate request as given below.4

then click on submit.

16) Click on Base 64 encoded option, then click on Download certificate link. It will download your .cer file[I am saving this CertNew.cer in C:\OpenSSL].5

17) Copy your PrivateKey.key and CertNew.cer [from C:\OpenSSL] to OpenSSL installation folder\bin [C:\OpenSSL-Win32\bin]
18) Open your Command Prompt [run->cmd] exicute the below given script.[point in to the OpenSSL-Win32 installation folder\bin (C:\OpenSSL-Win32\bin)]
openssl pkcs12 -inkey PrivateKey.key -in CertNew.cer -export -out CertNew.pfx
19) Open your IIS[Run->inetmgr],go to the server certificates option as given below.1

20) Click on the Import option as given below.-> select the CertNew.pfx file from the location where we created[C:\OpenSSL-Win32\bin\CerNew.pfx].2

Please spent few more seconds … let me know is this post helped you?
Happy Coding!!!!!! 🙂

Share this article and help others .Also let me  know if its worked for you .

Learn , share , grow …. :).

1 Comment

  1. Graham Ansell

    Thanks for taking the time to create and post this guide, helped me alot.


Leave a Reply

Your email address will not be published. Required fields are marked *