Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

Best Practice for Configuring Certificate Template Cryptography

Best Practice for Configuring Certificate Template Cryptography

  • Comments 2
  • Likes

Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers (KSPs) in addition to Cryptographic Service Providers (CSPs) was added. These options are available when you create a Certificate Template and configure the settings in the Cryptography tab. Depending on the template duplicated, you may see that the default option is Request can use any provider available on the subject’s computer. However, the best practice is to select Requests must use one of the following providers. Then, ensure you configure only the providers that you want to be used. Another best practice is to use a key size of 1024 bits or higher.

More about this topic is on the TechNet Wiki http://social.technet.microsoft.com/wiki/contents/articles/10192.a-certificate-could-not-be-created-a-private-key-could-not-be-created.aspx

Comments
  • <p>What is the effect for XP/2003 machines or users on those machines that are using Auto-Enrollment when a template is configured for Microsoft Software Key Storage Provider?</p>

  • <p>@Paul</p> <p>KSPs aren&#39;t installed on Windows XP or 2003 (they are part of CNG, which is only available to Vista/2008+)</p> <p>As such, I expect the effect would be that auto-enrolment would not be possible (as the computer does not have the provider required to generate keys).</p> <p>Somebody who has tested this wish to confirm?</p>

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment