IIS 2 min read

How to Create a SHA256 Self-Signed Certificate for SMTP Secure Communication by CertReq

Michael Wu ·

This article outlines the process to generate a SHA2 TLS certificate for SMTP purposes. While domain certificates with SHA2 are an option, self-signed certificates work well for testing environments. The built-in IIS Manager certificate creation tool produces SHA1 certificates, so an alternative approach using CertReq.exe is necessary.

Test Environment: Windows Server 2008 R2 Standard SP1

Three-Step Process

  1. Create a .inf file
  2. Run CertReq command
  3. Import the certificate to Trusted Root Certification Authorities (optional)

Step 1: Create a .inf File

Create a text document and rename it with an .inf extension. Insert the following configuration:

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=host.yourdomain.com"
RequestType = Cert
KeyLength = 2048
FriendlyName = "Sha256 TLS"
Exportable = true
HashAlgorithm = sha256
MachineKeySet = true
KeySpec = 1

Critical Notes:

  • Replace host.yourdomain.com with your actual subject name
  • RequestType = Cert generates a self-signed certificate directly
  • KeySpec = 1 enables key exchange capability for encryption
  • Save as C:\temp\RequestPolicy.inf

Step 2: Run CertReq Command

Execute Command Prompt with administrator privileges:

certreq -new c:\temp\RequestPolicy.inf

A dialog prompt will appear — click Cancel. The certificate installs automatically into IIS Manager’s Server Certificates store. Verify installation by checking IIS Manager > Server Certificates, and confirm SMTP Virtual Server Properties displays matching expiration dates.

Step 3: Import to Trusted Root Certification Authorities (Optional)

Self-signed certificates won’t be trusted by default. To remedy this:

  1. Open the Certificates snap-in in MMC console
  2. Export the certificate from Personal Certificates as a .cer file
  3. Import the .cer file into Trusted Root Certification Authorities

Extended Configuration

Additional extensions can be added to the .inf file, such as Subject Alternative Names (SANs).

References

  • TechNet CertReq documentation
  • CertReq.exe Syntax guide
#Certificates #SMTP #Windows Server
← Back to all posts