Root CAs that supports legacy apps should never be larger than 2048 bits. NIST phased it out in 2011, MSFT won't ever add it into your Trusted Root CA store since it won't meet the minimum accepted technical criteria.
#Certutil windows 2000 how to
See also: How to enumerate DPAPI and Roaming Credentialsĭon't use 1024 as a key length.
Ensure that these keys and the Key Enrollment agent don't end up in Roaming Credentials. Though I'm unaware of any Smart Card that offers key counting, enabling key counting may give you unexpected results in the event logĪcceptable: Store the private key in Windows DPAPI. Good: Store the Private key on a smart card. Every time the CA's private key is used, the counter will be increased. Here are some configuration notes & guidance on setting up a CA ROOT and the Subs:īest: Store the key on a HSM that supports key counting.
#Certutil windows 2000 software
One reason may be that the non-MSFT software prefers a lower key length.
If you see something that requires even the slightest revision, do let me know.īefore I get into configuring the CA and its subs, it's good to know that even though MSFT's CryptoAPI requires a self-signed root, some non-MSFT software may follow RFC 3280 and allow any CA to be the trusted root for validation purposes. Note: This is a (very very long) compendium of various recommendations and actions that Microsoft, NIST, and other well respected PKI and cryptography experts have said.
0 kommentar(er)
