We use and internal certificates in my company for Exchange 2013 and recently we employed a company wide mandate to move all internal SSL certificates from SHA1 to SHA512. Our current company patching policy is to apply security patches and only install other patches on an as needed basis. When the time came to renew our SHA1 cert for Exchange 2013 we discovered that SMTP fails when using TLS 1.2 with a SHA512 certificate on windows 2012 R2 (and possibly Server 2008 R2). There are two options to fix this situation
- Install the August 2014 update rollup which enables SHA512 for TLS 1.2
- Disable TLS 1.2 via the registry, this forces TLS 1.1 (a weaker protocol) and also breaks windows update
- Over all this a solution that should be avoided, but it’s nice to know it works in a pinch
I’ve tested both successfully in my environment and in the end we went with the update.