Was hoping someone could help me out with this one as there seems to be conflicting articles on the subject.
I've got a legacy server running Windows Server 2003 R2 with IIS6 and need to generate an SSL Certificate Request in SHA-256.
I've installed this Hotfix from MS (http://support.microsoft.com/kb/948963) which is supposed to add SHA-256 support.
Now that its been installed, how exactly do I get IIS to generate the CSR in SHA-256?
Thanks in advance
Chris
Best Answer
There are a few updates that add SHA-256 support in Windows Server 2003. The one you need is KB2868626; when installed this update will enable you to install SHA-256 SSL certificates on Server 2003 SP2. You may want to install the ones below as well so you can connect to your own site.
KB938397 adds SHA-256 support to Server 2003 (SP1 or SP2). This update only enables Server 2003 to connect to sites that are using SHA-256 certs, but cannot serve them up itself (for that you need the above KB2868626). There is an additional SHA-2 update where XP & Server 2003 clients cannot get SHA-256 certificates from Windows Server 2008, that is KB968730.
Regarding the CSR generation, if you are purchasing a certificate from a public CA you shouldn't need to specify the signature algorithm in the CSR. The CA will issue your cert signed with SHA1 or SHA2 depending on your selection and/or the CA's issuance policy.
I did look into it and I don't see a way in Server 2003 to create a SHA-256 CSR. There is a utility called "Certreq" built in to Windows. I don't see HashAlgorithm in the Server 2003 version of certreq, but it is present in later versions.
One other reference I found was creating a custom request through the MMC. In the tutorial it references selecting a hash algorithm, but the screenshot doesn't match. May be worth investigating.
Some additional Resources: