Windows Server 2003 R2 / IIS6 & SHA-256 SSL Certificates
There are a few updates that add SHA-256 support in Windows Server 2003. The one you need is KB2868626; when installed this update will enable you to install SHA-256 SSL certificates on Server 2003 SP2. You may want to install the ones below as well so you can connect to your own site.
KB938397 adds SHA-256 support to Server 2003 (SP1 or SP2). This update only enables Server 2003 to connect to sites that are using SHA-256 certs, but cannot serve them up itself (for that you need the above KB2868626). There is an additional SHA-2 update where XP & Server 2003 clients cannot get SHA-256 certificates from Windows Server 2008, that is KB968730.
Regarding the CSR generation, if you are purchasing a certificate from a public CA you shouldn't need to specify the signature algorithm in the CSR. The CA will issue your cert signed with SHA1 or SHA2 depending on your selection and/or the CA's issuance policy.
I did look into it and I don't see a way in Server 2003 to create a SHA-256 CSR. There is a utility called "Certreq" built in to Windows. I don't see HashAlgorithm in the Server 2003 version of certreq, but it is present in later versions.
One other reference I found was creating a custom request through the MMC. In the tutorial it references selecting a hash algorithm, but the screenshot doesn't match. May be worth investigating.
Some additional Resources:
- SHA-2 and Windows
- Common Questions about SHA-2 and Windows
- Detailed SHA-2 Compatibility article.
Related videos on Youtube
Chris
Updated on September 18, 2022Comments
-
Chris almost 2 years
Was hoping someone could help me out with this one as there seems to be conflicting articles on the subject.
I've got a legacy server running Windows Server 2003 R2 with IIS6 and need to generate an SSL Certificate Request in SHA-256.
I've installed this Hotfix from MS (http://support.microsoft.com/kb/948963) which is supposed to add SHA-256 support.
Now that its been installed, how exactly do I get IIS to generate the CSR in SHA-256?
Thanks in advance
Chris
-
Chris over 9 yearsHi Jeff,Thanks for the update... i've already tried the search you suggested but got lots of conflicting answers so was hoping someone might have managed to do this and have a definitive guide?