SHA is a popular hashing algorithm used by the majority of SSL certificates. As computing power has increased the feasibility of breaking the SHA1 hash has increased. Plans within the industry have been made to transition from SHA1 to SHA256 (SHA2). However with recent announcements from Microsoft and Google about depreciating support for SHA1 in browsers this transition has been accelerated.

It is important to understand that this mainly affects browser based SSL certificates. Some applications and devices can only support SHA1 certificates. Please check with your software vendor/hardware provider how this affects specific equipment. However consideration should be given to ongoing security and the feasibility of cracking SHA1.

So here I am updating on how to upgrade SHA1 to SHA2 in Exchange 2013, being DigiCert as provider, for any other provider except generating Duplicate certificate, all other steps would remains same.

Step 1 : Create a New CSR in Exchange

Logon EAC -> Navigate to Servers -> Certificates.

Click on “+” to create new CSR, Follow the below images


Select create a request for certificate from a certificate authority


Provide the friendly name


If wild card required mention, Most of the case it will be blank as we will be adding only for few services.


Select any one of the exchange server where it has to be stored


Select which services should be using this (, etc)


Provide the exact info as mentioned in existing SHA1 cerificate, to get this information you can either check it in EAC or run Get-ExchangeCertificate from Powershell


Store the Certificate to shared drive or local as mentioned above

Now, Your CSR is ready, Open with notepad and copy the whole content.


Next step, Logon to Certificate provider, Example : DigiCert (or) Godaddy etc. In our case it is DigiCert


Click on Get a Duplicate, and Select Exchange Server, Paste the CSR content to generate new certificate.

Once done, You can now download the new SHA2 version of certificate.


Now, Your new downloaded certificate will be available for install.


Import the new certificate using MMC Snap -in, You can see new certificate installed on Exchange, assign services as needed.

If you have multiple servers, You may keep adding the certificates using MMC.

How to verify, SHA2 algorithms being used.

Login to OWA using Chrome browser and Click on Green Symbol in address bar, You will see it as below:


That’s it we are done, Please feel free to comment for questions or feedback


By Kingson Jebaraj

Microsoft MVP, Blogger, Owner and Publisher for, Microsoft TechNet Author, Solution Architect, Former Office365 Technical Lead for Microsoft(Partner) Extensive knowledge and experience in Microsoft Exchange and Cloud Messaging Services and has got more exposure on Messaging environment deployment,migration,designing and other project management activities, I have earned real time experience in handling multi-site distributed critical large environment of messaging system. Been awarded as an MVP (Microsoft Most Valuable Professional) for Office Servers and services from Microsoft for an exceptional real world contribution made through Microsoft forums and other Microsoft communities. Currently working as “Solution Architect” on Private/Public cloud and SaaS environment for Pacific Controls, UAE, Dubai. One of the largest TIER III certified green data center campus in the middle east.