SHA is a popular hashing algorithm used by the majority of SSL certificates. As computing power has increased the feasibility of breaking the SHA1 hash has increased. Plans within the industry have been made to transition from SHA1 to SHA256 (SHA2). However with recent announcements from Microsoft and Google about depreciating support for SHA1 in browsers this transition has been accelerated.
It is important to understand that this mainly affects browser based SSL certificates. Some applications and devices can only support SHA1 certificates. Please check with your software vendor/hardware provider how this affects specific equipment. However consideration should be given to ongoing security and the feasibility of cracking SHA1.
So here I am updating on how to upgrade SHA1 to SHA2 in Exchange 2013, being DigiCert as provider, for any other provider except generating Duplicate certificate, all other steps would remains same.
Step 1 : Create a New CSR in Exchange
Logon EAC -> Navigate to Servers -> Certificates.
Click on “+” to create new CSR, Follow the below images
Select create a request for certificate from a certificate authority
Provide the friendly name
If wild card required mention, Most of the case it will be blank as we will be adding only for few services.
Select any one of the exchange server where it has to be stored
Select which services should be using this (owa.cloudexchangers.com, autodiscover.cloudexchangers.com etc)
Provide the exact info as mentioned in existing SHA1 cerificate, to get this information you can either check it in EAC or run Get-ExchangeCertificate from Powershell
Store the Certificate to shared drive or local as mentioned above
Now, Your CSR is ready, Open with notepad and copy the whole content.
Next step, Logon to Certificate provider, Example : DigiCert (or) Godaddy etc. In our case it is DigiCert
Click on Get a Duplicate, and Select Exchange Server, Paste the CSR content to generate new certificate.
Once done, You can now download the new SHA2 version of certificate.
Now, Your new downloaded certificate will be available for install.
Import the new certificate using MMC Snap -in, You can see new certificate installed on Exchange, assign services as needed.
If you have multiple servers, You may keep adding the certificates using MMC.
How to verify, SHA2 algorithms being used.
Login to OWA using Chrome browser and Click on Green Symbol in address bar, You will see it as below:
That’s it we are done, Please feel free to comment for questions or feedback