Create a SHA-256 Certificate Request on Windows Server

Dec - 27 2022 | By

Some versions of Windows Server inside of IIS Certificate Management only allow the creation of SHA-1 certificate requests.  This page shows how to generate a SHA-256 certificate request.

Open MMC – Run type in mmc click OK
File, Add/Remove Snap-In
Certificate > Add
Computer Account
Local computer
Click Finish
Click OK
Expand Certificates
Expand Personal
Right click Certificate folder below Personal and choose All Task, Advanced Operations, Create Custom Request

Certificate Enrollment












Click Next.

Choose Proceed without enrollment policy, then click Next.

From the Template drop down, choose (No template) CNG key.
Request format choose, PKCS #10.
Click Next.

Click the ˅ next to Details then click Properties

On the General tab type in the name of the primary use for your certificate into the Friendly name, you can use the same thing for the Description.

On Subject tab you need Common Name, Organization, Locality, State, Country and Email. Under Subject name: Type choose each Common name type in the value click Add, and do that for each of the fields you need.
If needed add Organizational Unit for Subject name.
If you have more names under Alternative name add additional Common Names for each name. This is referred to as Subject Alternative Name – SAN.

On the Private Key tab, click the ˅ next to Key options
Choose the drop down next to Key size select 2048
Check the box next to Make private key exportable.
Click the ˅ next to Select Hash Algorithm
From the drop down next to Hash Algorithm and select sha256.
Then click OK after you have filled out each General, Subject and Private Key tabs.

Browse to where you want to store your certificate request file, make sure File Format is Base 64. When you click Finish dialog will close and your certificate request file will be found in the selected location with the file name you chose.

You can then take your certificate request file and use that with your certificate provider to generate your certificate.  After you get back your certificate file you can import that into the system using IIS Certificate Manager.
Open Internet Information Services (IIS) Manager
Click Hostname
On the right choose Server Certificates icon
On the far right menu choose Complete Certificate Request
Browse to the location you saved your new certificate file from your provider
Click OK
Then you can go into Bindings for the site(s) that use that certificate and make sure it is updated to this certificate you just installed.
In IIS Manager expand Sites and select the website for the certificate you just installed.
On the far right choose Bindings
In the Site Bindings click https click Edit
In Edit Site Binding window select the SSL certificate by the friendly name that you chose
Click OK