Now that google chrome is “warning” about SHA-1 hashed certificates and most certification authorities seem to be issuing only 2048 bit encryption ones it is a good idea to update any certificates with the lower level hashing and encryption. The older versions of windows server such as SBS 2008 and Server 2008 don’t make it easy to request the higher level certificates. These steps below let you create and install a new certificate from an external authority.
To create the request you need to:
Run MMC and then “add or remove snap-ins” to load the Certificate Templates and Certificates management consoles. Load the Certificates console for the Local Computer.
Use the certificate template snap-in to copy the web-server template and then edit it. Make it as 2048 bit and SHA256.
Then use the certificates snapin to create a custom request.
Base it on the template made in the first step.
When it gets to the Certificate Information page, click the Details and properties “buttons” to get access to the important information.
Enter you Common Name, Country, Organisation, etc…
Make sure you make the private key exportable and check that the key size is 2048 and hash algorithm is sha256.
Then save that certificate request as a file and use that to submit to your certification authority. Once you recieve the certificate from your authority you can use the certreq tool to satisfy the request and it will be added back to the Certificates store.
Then you can move or Export that now valid certificate (which is in the local computer / personal certificate store) including its private key (with a password). Once you have done that you can import that key (using the password) into your web server and assign it to the web site you needed it for. Exporting the private key with the certificate means it can be imported to any machine not just the one it was created on.
