CSR Request for SHA-2 Certificate


Before you begin

its important to check your environment readiness for Sha-2 especially the devices and the operation system

please check SHA-2 Certificate Compatibility for you environment

Create CSR for SHA-2 Algorithm

From the Computer/Server that you want to apply the certificate

  • Type MMC in Run17
  • In MMC console click File >> Add/Remove snap-in
  • Choose Certificate >> Add >>  Computer >> Local Computer18


  • Click Next
  • Go to Personal Store >> Certificate >> Right Click a All Tasks a Advanced Operations a Create Custom Request1


  • Choose Custom Request Proceed without enrollment policy2


  • Chose the Certificate Template (No template) CNG Key
  • Request Format : PKCS#10

the Cryptography Next Generation (CNG Key) will allow us to be able to change the Algorithm to SHA-2

  • 3


  • Click Next
  • Click on Details  >> Properties 4

Edit and Modify Certificate Properties

General Tab

  • Type Certificate Friendly name , and Description 5

Subject Tab

Subject Name

Add the Following Subject Name Types

  • Common Name (CN)

main certificate name , for example (mail.msmuscle.net)

  • Country (C)

Country Code ex: Jordan = JO

  • Locality (L),  Organization (O),  Organization Unit (OU),  State (S)

Alternative Name

To Add Subject Alternative Name (SAN) , add the following Type:

  • DNS

Subject alternative name for your certificate ex: autodiscover.msmuscle.net


Extensions Tab

Key usage

  • add the Key usage for your certificate
  • check Make these key usage critical

example : for exchange server and lync server  (Digital signature, key encipherment)


Extended Key Usage (application Policies)

Defines the purpose of the certificate , and how the certificate can be use

  • for exchange and lync server (Server Authentication, Client Authentication)


Private Key Tab

Key options

set the key length  and make the private key exportable

  • Change key size to 2048 
  • Check Make private key exportable


Select Hash Algorithm

select the Algorithm for your request

  • Change Hash Algorithm to sha256



  • Finally, Click OK

  • then Click NEXT



  • save the requisite file to you local computer. File format Base 64
  • Click Finish



Now the requisite with Sha-2 Algorithm is ready for your Certificate


To Issue the Certificate from the request file

  • Public Certificate : send the request file to your Public Certificate Issuer
  • Local Certificate : Issue/Signing certificate using Certificate Authority (CA)

Post tasks:

  • Lync Server : you have to modify the Certificate to apply successfully , because the CNG key compatibility , modify your certificate


To verify your request  file  if its sha-2 or not.

use this LINK  from symantec

open the File using notepad , copy and past your request file content and check




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s