Requesting a SHA-256 certificate for EmpowerID using an external certificate authority

Support for the SHA-1 cryptographic hash algorithm is slowly being deprecated by Google, Microsoft and other industry leaders and replaced with SHA-256. Popular web browsers are beginning to show warnings to end users in order to speed the adoption rate of SHA-256:

With computer hardware becoming faster and cheaper SHA-1 is no longer reasonably safe from collision attacks. SSL certificates being used for publicly facing EmpowerID websites should be upgraded to SHA-256 as soon as possible.

The following steps provide an example on how to request a SHA-256 certificate from an external certificate authority such as GoDaddy or Verizon.

SHA-256 certificates need to have the following properties to meet the Certificate Requirements for EmpowerID:

Key Usage: Digital Signature, Key Encipherment
Enhanced Key Usage: Server Authentication, Client Authentication
Signature algorithm: sha256RSA
Signature hash algorithm: sha256
Thumbprint algorithm: sha1
Provider: Microsoft Enhanced RSA and AES Cryptographic Provider

Please note that some applications and devices can only support SHA-1 certificates. Please see: SHA-256 Compatibility.

 

Requesting a SHA-256 certificate:

  1. Open a text editor of your choice, such as Notepad. Copy and paste the following 

INF template:

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=*.domain.com"
Exportable = TRUE
KeyLength = 4096
KeySpec = 1 ; AT_KEYEXCHANGE
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType = 24
SMIME = FALSE
RequestType = PKCS10
HashAlgorithm = SHA256
FriendlyName = "Certificate Friendly Name Here"

[Strings]
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=*.domain.com"
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"

 

  1. Modify the sample 

INF file, changing the Subject, FriendlyName and Subject Alternate Name as needed.

 

  1. Click 

File > Save As... and choose a location where you wish to save the batch file. In the Save As window that appears, in the File Name field, enter the following, exactly as shown:

"EIDSHA256.inf"

 

  1. Open a 

Command Prompt window with Administrator privileges. In the Command Prompt window that appears, enter the following command and press ENTER:

certreq -new EIDSHA256.inf EIDSHA256.req

Note: For more detailed information regarding certreq, please see Microsoft TechNet.

 

  1. Provide the resultant 

EIDSHA256.req file to your external certificate authority.

 

  1. Your external certificate authority should provide you back with a 

.cer file.  Save this file to the server where you created the EIDSHA256.req. 

Open a Command Prompt window with Administrator privileges.  Type in the following command to complete the certificate request.

 certreq –accept EIDSHA256.cer

 

  1. The completed private key certificate will be installed into the computer's personal store (

Console>Certificates (Local Computer)>Personal>Certificates). 

You can export a .pfx from here if you need to import it to any other servers.

 

 

NOTE: If you wish to sign a SAML response with SHA-256 please ensure you have enabled SHA-256 XML signing support in EmpowerID.

Please feel free to contact us by e-mail at support@empowerid.com or by phone at (877) 996-4276 (Option 2) if you have any questions or concerns regarding this guide.

Â