How to generate a SHA256 certificate and how to install SHA256 certificate in IIS

  1. Download and install OpenSSL from Shining Light. while installing please remember the path (Here my installation path is c:\OpenSSL-Win32)
  2. Create a folder in any location (My folder location is C:\OpenSSL)
  3. Open command prompt[cmd] exicute the below given command.
    set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
  4. Generate your Certificate request (CSR), specifying an SHA256 signature hash . Execute the below given command.[point in to the OpenSSL installation folder\bin (C:\OpenSSL-Win32\bin)]
    openssl req -nodes -sha256 -newkey rsa:2048 -keyout C:\OpenSSL\PrivateKey.key -out C:\OpenSSL\CertificateRequest.csr
  5. You’ll be prompted for a few certificate fields , enter those feilds as they come up.
  6. This will generate two files – 1) PrivateKey.key (which contains the un-encrypted version of your private key – protect this file, as somebody who obtains it along with your signed public key can impersonate you) 2) CertificateRequest.csr (your certificate signing request, which is not sensitive).
  7. Just check what hash algorithm is currently used, execute this below given command
    certutil -getreg ca\csp\CNGHashAlgorithm
    if this returns SHA256, skip to step 9.
  8. By default the above should return SHA1. Run this below given command to configure the CA to use SHA256 for CNG hashes.
    certutil -setreg ca\csp\CNGHashAlgorithm SHA256.
  9. Restart Certificate Services:
    net stop CertSvc && net start CertSvc
  10. Execute the steps no 7 and make sure that, the current HashAlgorithm is SHA256 .
  11. Go to your bowser, open http://localhost/CertSrv -> Click on Request a certificate
  12. ssl-sha256-1
  13. Then Click on Advanced certificate request.ssl-sha256-2
  14. Then Click on the Second link as given below.ssl-sha256-3
  15. Go to the folder where the CertificateRequest.csr is located [C:\OpenSSL]. Open the file CertificateRequest.csr in a notepad and copy the encoded value.
  16. Go back to the browser, paste your copied encoded values in to the Base-64-encoded certificate request as given below.ssl-sha256-4
    then click on submit.
  17. Click on Base 64 encoded option, then click on Download certificate link. It will download your .cer file [I am saving this CertNew.cer in C:\OpenSSL].ssl-sha256-5
  18. Copy your PrivateKey.key and CertNew.cer [from C:\OpenSSL] to OpenSSL installation folder\bin [C:\OpenSSL-Win32\bin]
  19. Open your Command Prompt [run->cmd] execute the below given script.[point in to the OpenSSL-Win32 installation folder\bin (C:\OpenSSL-Win32\bin)]
    openssl pkcs12 -inkey PrivateKey.key -in CertNew.cer -export -out CertNew.pfx
  20. Open your IIS[Run->inetmgr],go to the server certificates option as given below.ssl-sha256-6
  21. Click on the Import option as given below.-> select the CertNew.pfx file from the location where we created [C:\OpenSSL-Win32\bin\CerNew.pfx].ssl-sha256-8