This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 24%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
I have been trying to create server certificates that are SHA256 and keep getting SHA1 results.
Using the MMC in the CSR wizard (from right clicking in the certificate store, then selecting Tasks -> Advanced Operations -> Create Request). The Before you begin window shows and select next. The problem comes when the Custom Request window is displayed. I found a "how to" but in the Template box on the "how to" it said No Template. When I do this on my servers I get the attached options.
Which of these options should I use to create a SHA256 CSR for the server for RDP purposes and which option should I select for a SHA256 CSR for a URL (Note: Web Server is not creating a SHA256 CSR).
Side Question: Is there a way to "force" Win2k16SVR to automatically generate SHA256 certificates via the registry or remove SHA1 as an option to the system?
The reason I ask is our CSR script defaults to SHA1 which is no longer acceptable so we would like to continue using the script but have SHA256 be the default. I know this can be done on a AD server but can this be forced on a member server?
After doing some poking around I noticed on the "select certificate enrollment policy" screen of the CSR wizard it lists an Active Directory Enrollment Policy. If I hit the drop down and select properties, it gives me the Enrollment Policy ID and the Server URI (which I gather is our AD DC). However, it will not let me remove the Server URI listed. Is this preventing me from not selecting the No Template option when I start the CSR? If I select Add New, I can enter an Enrollment Policy Server URI, but I do not know what that would be to get back to No Template for custom CSRs. I have tried the Authentication types and none are allowed to be chosen as they do not validate.
It's more common to skip the user interface (which might not receive fast updates), and use PowerShell with certreq to achieve all advanced settings.
You can find a sample from here and modify it based on your own requirements.