We are trying to create a qualified subordination CSR using a SHA256 signature, however the request keeps coming back as being signed using SHA1. We would like the signature to be SHA-256 for the CSR, not just applied by the CA signature.
The CA certificate and the Qualified Subordination signing certificate both have SHA-256 as the signature algorithm (these were both created using GUI where there is the signature algorithm dropdown). This is being done on 2008 Enterprise R1 OS / Stand-alone subordinate CA (policy tier). We are using the 'certreq -policy' command and are using a policy.inf file. We have not been able to locate an area within the policy.inf that would specify which hash to use ("[NewRequest]" is not appropriate for this file).
The command syntax description from "certutil -policy -?" indicates that there should be a "-hash HashAlgorithm" option that could be used, however we are not able to determine what name format to use (we have tried sha256, sha256RSA, rsasha256, sha-256, and even sha1, sha-1, sha1rsa, and rsasha1).
Any ideas? Thanks in advance...