SHA-2 Certificates in AD FS 3.0

So I’ve come across this a couple of times and I’m sure it will begin to be more visible in the near future.  A big shout-out to  who posted this information -THANK YOU!

AD FS on Windows Server 2012 R2 (often referred to as “AD FS 3.0”) no longer has a dependency on IIS. One of the common methods used to generate a “Certificate Signing Request” (CSR) is to use IIS on the server you need the certificate on or by using another IIS server in the organization. Without access to IIS, your options for generating the CSR are to use the MMC snap-in, one of the native command line utilities or some third-party tools.

as Joe’s article explains in more detail (read his post), I’d like to just get to the task at hand…

Create a Certificate Request (SHA-2) with PowerShell

  • Create a file called “request.inf” with the following content

(customized to your organization, of course)

Signature="$Windows NT$"
Subject = ",O=Company Contoso,L=Phoenix,S=Arizona,C=US"
Exportable = TRUE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
HashAlgorithm = sha256
RequestType = PKCS10
FriendlyName = " (SHA2)"
OID= ; Server Authentication

If you need a Subject Alternative Name (SAN) such as “” because you’re using “Workplace Join” or if you need SANs for any other reason, check out “How to Request a Certificate With a Custom Subject Alternative Name

  • On your primary AD FS server, launch PowerShell (run as Administrator) and run the following command:
certreq.exe -new request.inf sts_company_com.req
  • After receiving the response back from your third-party Certificate Authority, run the following to complete the request:
certreq.exe -accept
  • From here, you can export out the certificate using the MMC snap-in and import it into your other AD FS servers and proxies.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s