How can I create self-signed certificate that is stronger than SHA-1?

Sure. The makecert utility that is part of the Windows SDK can do that:

makecert -len 2048 -r -a sha256 -sv private.pvk -n CN=localhost cert.cer

The -a parameter sets the hash algorithm. This spits out a PVK and a DER .cer file. You can of course also change the common name to anything you'd like, I just used localhost as an example. You can combine these into a PFX (what IIS prefers to use when importing a certificate) using pvk2pfx (also part of the SDK):

pvk2pfx -spc cert.cer -pvk private.pvk -pfx out.pfx

This just takes the two files makecert generated and combines them into a PKCS12 .pfx file.

With the resulting PFX file, you would open up IIS and import it under Server Certificates, then change your site's bindings to use the new certificate.


I am using a locked-down Windows 7 Enterprise computer at work and as such I am unable to install the Windows SDK to get access to makecert. Here's how I created my sha256 self-signed certificate (taken from https://core.telegram.org/bots/self-signed):

  1. Decide which directory you want to save your certificate in
  2. Create a text file in that directory called template.txt with the following contents:

    [NewRequest]
    
    ; At least one value must be set in this section
    Subject = "CN={your.domain.com}"
    KeyLength = 2048
    KeyAlgorithm = RSA
    HashAlgorithm = sha256
    ;MachineKeySet = true
    RequestType = Cert
    UseExistingKeySet=false ;generates a new private key (for export)
    Exportable = true ;makes the private key exportable with the PFX
    
  3. Replace {your.domain.com} with the address you'll use to access your site, e.g. "CN=localhost"

  4. Open up a command prompt and change to your certificate directory
  5. Run certreq -new template.txt RequestFileOut
  6. You'll need to know the serial number, so run certutil -store -user my to get a dump which includes the serial number
  7. Replace {SERIALNUMBER} with the serial number in the dump and {YOURDER}.crt with the name of the output file: certutil -user -store -split my {SERIALNUMBER} {YOURDER}.crt
  8. Replace {YOURDER}.crt with the name of the input file and {YOURPEM}.cer with the name of the output file: certutil -encode {YOURDER}.crt {YOURPEM}.cer
  9. Replace {your.domain.com} with your actual (test) domain name and {YOURPKCS}.pfx with the name of the output file: certutil -exportpfx -user {your.domain.com} {YOURPKCS}.pfx NoChain

After that I went to IIS Manager, Sites -> {site name} -> Bindings... (under "Edit Site"). I then clicked on https/443 because I already had it set up, Edit... and selected the new certificate from the list.

Firefox complained that my site was using a self-signed certificate so I just added it as an exception, and voilà! it worked!