CSRs created by Exchange are signed with outdated signature algorithm

Applies To
Exchange Server 2019 Exchange Server 2016

Symptoms

When you run New-ExchangeCertificate, Microsoft Exchange Server uses the outdated sha1WithRSA signature algorithm to sign the Certificate Signing Request (CSR). Some Certification Authorities (CA) don't accept the CSR if it's signed by using this outdated signature algorithm.

Resolution

To fix this issue, install the following security update: