SHA is a popular hashing algorithm used by the majority of SSL certificates. As computing power has increased the feasibility of breaking the SHA1 hash has increased. Plans within the industry have been made to transition from SHA1 to SHA256 (SHA2). However with recent announcements from Microsoft and Google about depreciating support for SHA1 in browsers this transition has been accelerated.

It is important to understand that this mainly affects browser based SSL certificates. Some applications and devices can only support SHA1 certificates. Please check with your software vendor/hardware provider how this affects specific equipment. However consideration should be given to ongoing security and the feasibility of cracking SHA1.

So here I am updating on how to upgrade SHA1 to SHA2 in Exchange 2013, being DigiCert as provider, for any other provider except generating Duplicate certificate, all other steps would remains same.

Step 1 : Create a New CSR in Exchange

Logon EAC -> Navigate to Servers -> Certificates.

Cert1
Click on “+” to create new CSR, Follow the below images

Cert2

Select create a request for certificate from a certificate authority

Cert3

Provide the friendly name

Cert4

If wild card required mention, Most of the case it will be blank as we will be adding only for few services.

Cert5

Select any one of the exchange server where it has to be stored

Cert6

Select which services should be using this (owa.cloudexchangers.com, autodiscover.cloudexchangers.com etc)

Cert7

Provide the exact info as mentioned in existing SHA1 cerificate, to get this information you can either check it in EAC or run Get-ExchangeCertificate from Powershell

Cert8

Store the Certificate to shared drive or local as mentioned above

Now, Your CSR is ready, Open with notepad and copy the whole content.

Cert9

Next step, Logon to Certificate provider, Example : DigiCert (or) Godaddy etc. In our case it is DigiCert

cert10

Click on Get a Duplicate, and Select Exchange Server, Paste the CSR content to generate new certificate.

Once done, You can now download the new SHA2 version of certificate.

cert11

Now, Your new downloaded certificate will be available for install.

cert12

Import the new certificate using MMC Snap -in, You can see new certificate installed on Exchange, assign services as needed.

If you have multiple servers, You may keep adding the certificates using MMC.

How to verify, SHA2 algorithms being used.

Login to OWA using Chrome browser and Click on Green Symbol in address bar, You will see it as below:

cert12

That’s it we are done, Please feel free to comment for questions or feedback

 

By Kingson Jebaraj

Microsoft MVP, Blogger, Owner and Publisher for Cloudexchangers.com, Microsoft TechNet Author, Solution Architect, Former Office365 Technical Lead for Microsoft(Partner) Extensive knowledge and experience in Microsoft Exchange and Cloud Messaging Services and has got more exposure on Messaging environment deployment,migration,designing and other project management activities, I have earned real time experience in handling multi-site distributed critical large environment of messaging system. Been awarded as an MVP (Microsoft Most Valuable Professional) for Office Servers and services from Microsoft for an exceptional real world contribution made through Microsoft forums and other Microsoft communities. Currently working as “Solution Architect” on Private/Public cloud and SaaS environment for Pacific Controls, UAE, Dubai. One of the largest TIER III certified green data center campus in the middle east.

Leave a Reply

Your email address will not be published. Required fields are marked *