Requesting a SHA-256 certificate for EmpowerID using an external certificate authority
Support for the SHA-1 cryptographic hash algorithm is slowly being deprecated by Google, Microsoft and other industry leaders and replaced with SHA-256. Popular web browsers are beginning to show warnings to end users in order to speed the adoption rate of SHA-256:
With computer hardware becoming faster and cheaper SHA-1 is no longer reasonably safe from collision attacks. SSL certificates being used for publicly facing EmpowerID websites should be upgraded to SHA-256 as soon as possible.
The following steps provide an example on how to request a SHA-256 certificate from an external certificate authority such as GoDaddy or Verizon.
SHA-256 certificates need to have the following properties to meet the Certificate Requirements for EmpowerID:
Key Usage:Â Digital Signature, Key Encipherment
Enhanced Key Usage:Â Server Authentication, Client Authentication
Signature algorithm:Â sha256RSA
Signature hash algorithm:Â sha256
Thumbprint algorithm:Â sha1
Provider:Â Microsoft Enhanced RSA and AES Cryptographic Provider
Please note that some applications and devices can only support SHA-1 certificates. Please see:Â SHA-256 Compatibility.
Â
Requesting a SHA-256 certificate:
Open a text editor of your choice, such as Notepad. Copy and paste the followingÂ
INFÂ template:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=*.domain.com"
Exportable = TRUE
KeyLength = 4096
KeySpec = 1 ; AT_KEYEXCHANGE
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
ProviderType = 24
SMIME = FALSE
RequestType = PKCS10
HashAlgorithm = SHA256
FriendlyName = "Certificate Friendly Name Here"
[Strings]
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"
[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=*.domain.com"
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"
Â
Modify the sampleÂ
INFÂ file, changing the Subject, FriendlyName and Subject Alternate Name as needed.
Â
ClickÂ
File > Save As... and choose a location where you wish to save the batch file. In the Save As window that appears, in the File Name field, enter the following, exactly as shown:
"EIDSHA256.inf"
Â
Open aÂ
Command Prompt window with Administrator privileges. In the Command Prompt window that appears, enter the following command and press ENTER:
certreq -new EIDSHA256.inf EIDSHA256.req
Note: For more detailed information regarding certreq, please see Microsoft TechNet.
Â
Provide the resultantÂ
EIDSHA256.req file to your external certificate authority.
Â
Your external certificate authority should provide you back with aÂ
.cer file. Save this file to the server where you created the EIDSHA256.req.Â
Open a Command Prompt window with Administrator privileges. Type in the following command to complete the certificate request.
 certreq –accept EIDSHA256.cer
Â
The completed private key certificate will be installed into the computer's personal store (
Console>Certificates (Local Computer)>Personal>Certificates).Â
You can export a .pfx from here if you need to import it to any other servers.
Â
Â
NOTE: If you wish to sign a SAML response with SHA-256 please ensure you have enabled SHA-256 XML signing support in EmpowerID.
Please feel free to contact us by e-mail at support@empowerid.com or by phone at (877) 996-4276 (Option 2) if you have any questions or concerns regarding this guide.
Â