Requesting a SHA-256 certificate for EmpowerID using Active Directory Certificate Services

Support for the SHA-1 cryptographic hash algorithm is slowly being deprecated by GoogleMicrosoft and other industry leaders and replaced with SHA-256. Popular web browsers are beginning to show warnings to end users in order to speed the adoption rate of SHA-256:

With computer hardware becoming faster and cheaper SHA-1 is no longer reasonably safe from collision attacks. SSL certificates being used for publicly facing EmpowerID websites should be upgraded to SHA-256 as soon as possible.

Please note that some applications and devices can only support SHA-1 certificates. Please see: SHA-256 Compatibility.

Businesses that have Active Directory Certificate Services (AD CS) available may wish to issue a SHA-256 certificate for EmpowerID using their existing Public Key Infrastructure (PKI). The following steps detail how to request a SHA-256 certificate for use with EmpowerID using AD CS.

SHA-256 certificates need to have the following properties to meet the Certificate Requirements for EmpowerID:

Key Usage: Digital Signature, Key Encipherment
Enhanced Key Usage: Server Authentication, Client Authentication
Signature algorithm: sha256RSA
Signature hash algorithm: sha256
Thumbprint algorithm: sha1
Provider: Microsoft Enhanced RSA and AES Cryptographic Provider

Configuring the Certificate Template

  1. Open 

Certification Authority on your root certification authority (CA) server. In the certification authority tree on the left hand side, right click the server node and click Properties.

  1. In the Cryptographic settings section, please take note of the 

Provider and Hash algorithm currently being used.

NOTE: If your certification authority (CA) cryptographic settings hash algorithm is SHA1, it is recommended to upgrade to SHA256. Please read the following Windows PKI blog entry: Upgrade Certification Authority to SHA256. Once the Operating System of the certification authority server has been upgraded to Windows Server 2008 or higher, the following commands can be run to upgrade the hash algorithm to SHA2:

certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net stop certsvc
net start certsvc

Once the steps above have been performed the server properties pane should indicate a Hash algorithm of SHA256, as shown below:

  1. In the certification authority tree on the left hand side, expand the server node. Right click 

Certificate Templates and click Manage.

  1. In the Certificate Templates Console window that appears, in the Template pane, scroll down to the Web Server template. Right click the 

Web Server template and click Duplicate Template.

  1. In the Properties of New Template window that appears, click the 

General tab. Click the Template display name field and type EmpowerID Web Server. Choose an appropriate Validity period and Renewal period as per your corporate security policy.

  1. Click the 

Request Handling tab. Check Allow private key to be exported if you need to export the private key to a .pfx file once the certificate request is completed. This would be useful if you have more than one EmpowerID server - you could import the resultant .pfx into the other EmpowerID servers as needed. Allowing the private key to be exported also allows EmpowerID to upload and store the private key as an encrypted string within the CertificateStore table.

  1. Click the 

Cryptography tab. Choose an appropriate Minimum key size as per your corporate security policy (2048 or higher is recommended). The Choose which cryptographic providers can be used for requests radio button should be set to Requests must use one of the following providers. In the Providers checklist, please ensure only the following provider is checked:

Microsoft Enhanced RSA and AES Cryptographic Provider

  1. Click the 

Subject Name tab. Please ensure the Supply in the request radio button is selected.

  1. Click the 

Security tab. Click Add... In the Select Users, Computers, Service Accounts, or Groups window that appears, click the Object Types... button.

10. In the Object Types window that appears, in the Object types checklist, check Computers and click OK.

11. You will be returned to the Select Users, Computers, Service Accounts, or Groups window. In the Enter the object names to select field, type the computer account of the EmpowerID front end server and click OK.

12. You will be returned to the Properties of New Template window. Click on the computer account of your EmpowerID front end server to select it. In the Permissions pane, for the Enroll permission, check Allow.

13. Click the Extensions tab. Under Extensions included in this template:, click Application Policies. Click Edit...

14. In the Edit Application Policies Extension window that appears, in the Application policies: pane, click Add...

15. In the Add Application Policy window that appears, click Client Authentication to select it and click OK.

You will be returned to the Edit Application Policies Extension window. Click OK.

16. In the Extensions tab, under Extensions included in this template:, click Key Usage. Click Edit...

17. In the Edit Key Usage Extension window that appears, in the Signature pane, please confirm Digital signature is checked. In the Encryption pane, please confirm the Allow key exchange only with key encryption (key encipherment) radio button is selected and Make this extension critical is checked. Click Cancel once this information has been confirmed.

18. You will be returned to the Properties of New Template window. Click OK to confirm the creation of the certificate template. You should now see EmpowerID Web Server in the list of certificate templates.

19. Open Certification Authority. In the certification authority tree on the left hand side, right click on Certificate Templates and choose New > Certificate Template to Issue.

20. In the Enable Certificate Templates window that appears, click on EmpowerID Web Server and click OK.

21. You will be returned to the Certification Authority window. In the certificate templates pane on the right hand side, EmpowerID Web Server should now appear as an issuable certificate template.

Requesting the certificate template

  1. Open the 

Certificates snap-in on your EmpowerID front end server. Ensure the snap-in is configured to manage certificates for the local computer account.

  1. In the certificate store tree on the left hand side, expand Certificates (Local Computer). Expand Personal. Right click 

Certificates and click All Tasks > Request New Certificate.

  1. In the 

Certificate Enrollment window that appears, click Next. In the Select Certificate Enrollment Policy pane, ensure Active Directory Enrollment Policy is selected and click Next.

  1. In the 

Request Certificates screen that appears, under the Active Directory Enrollment Policy section, check EmpowerID Web Server and then click the link labeled More information is required to enroll for this certificate. Click here to configure settings.

  1. In the 

Certificate Properties window that appears, in the Subject name section, click the Type drop down and choose Common name. Enter the desired common name, such as sso.company.comserver1.company.com, or *.company.com into the Value field. Click the Add > button when finished.

  1. Click the 

Type drop down and fill out any other optional fields as desired, such as OrganizationStateStreet addressCountryEmailLocality, etc. Click the Add > button after each entry.

  1. In the 

Alternative name section, click the Type drop down and choose DNS. Enter the desired DNS name into the Value field and click the Add > button.

NOTE: The DNS values you provide here need to match any and all URLs that end users will be using to access EmpowerID. If the URLs do not match end users will be prompted with a security warning when accessing EmpowerID.

For example, if you use an F5 Networks load balanced URL of sso.company.com that points to two EmpowerID front end servers named server1.company.com and server2.company.com, it would be recommended to add

sso.company.com
server1.company.com
server2.company.com

as DNS values. You may use wildcards such as *.company.com if desired.

  1. Click the 

General tab. Provide a certificate Friendly name and Description as desired.

  1. Click the 

Private Key tab. Expand Cryptographic Service Provider by clicking on the down arrow. In the Select cryptographic service provider (CSP) checklist, ensure only Microsoft Enhanced RSA and AES Cryptographic Provider (Encryption) is checked. Click OK when finished.

10. You will be returned to the Certificate Enrollment window. Click Enroll.

11. The Certificate Installation Results screen will appear. Click Finish.

12. You will be returned to the Certificates snap-in. The newly requested certificate will be present in the Personal store, ready for use with Internet Information Services (IIS) and EmpowerID.

13. Using the Certificates snap-in, export the certificate (including the private key) and import the resultant .pfx into any other EmpowerID servers as needed.

NOTE: If you wish to sign a SAML response with SHA-256 please ensure you have enabled SHA-256 XML signing support in EmpowerID.

Please feel free to contact us by e-mail at support@empowerid.com or by phone at (877) 996-4276 (Option 2) if you have any questions or concerns regarding this guide.