How to use 2048 bit, SHA256 certificate with Win Server 2008 R2 and IIS 7.5

We've got a Windows Server 2008 R2 Datacenter machine running as an EC2 instance at Amazon.  We've always used and still use the IIS Certificates Manager to generate our certificates as SHA-1 2048bit.  Recently we've had a client ask us to install an SHA256bit 2048 key.  Well, IIS Cert Mgr doesn't do SHA256 so I've used OpenSSL-Win64 to produce a couple of files with this command:

openssl req -nodes -sha256 -newkey rsa:2048 -keyout C:\SSL\mysite2015-09-29_private.key -out C:\SSL\mysite2015-09-29.csr

Which produces two files:


When opened in Notepad++ the files begin and end with -----BEGIN PRIVATE KEY----- / -----END PRIVATE KEY-----  and -----BEGIN CERTIFICATE REQUEST----- / -----END CERTIFICATE REQUEST----- repectively.

I have forwarded the .CSR file on to the client for them to register the thing with their favorite certificate authority.  I have no idea what to do next.

Do I need to somehow install the private.key into Certificate Manager.  There are a million different formats it seems, do I need to use a different format and how would I go about changing the format?  Also, because we'll be using a load balancer at some point I'll be needing the private key in .PEM format.  How do I do that conversion?  Do I need to install some sort of SSL handler to deal with the SHA256 or can IIS7.5 do that?  If so what does that mean for the other 8 certs we've already got installed?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IIS 7.5 handles certificates with SHA256 just fine without doing anything.
For importing, I would use OpenSSL to generate a .PFX file (PKCS#12) which you can then easily import.  Syntax is something like
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Open in new window

Pretty sure the private key is already in PEM format (Base64).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.