This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 31%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hi,
I have a two tiered on-premise PKI. Offline root and issuing subordinate CAs. I need to generate TLS proxy certificate for HTTPS inspection. I created a new certificate template by duplicating Subordinate Certification Authority. I see that by default attribute msPKI-Minimal-Key-Size for this template is set to 1024. I would like to increase it to 2048. There is no Cryptography tab in template settings so I cannot enforce minimum key size. Is there any way to override this setting?
You can specify the required key size in certificate request, this template setting for CA makes little sense since you generate keys on your (client) side and only submit it to CA for signing. Just specify desired key size when generating request.
Thank you for your comment. Leaving aside the topic of Subordinate Certification Authority template, is it possible to set on the CA level minimum key size for all certificates? Or is this controlled solely by certificate templates?
It is controlled by template. You cannot enforce this on CA level.
Hello @bartn92 ,
Thank you for your question.
Some recommendations below for you:
1) I never recommend using pre-installed templates. Even if the template is ok, I recommend duplicating it with the same settings, updating the key length and adding a corporate branding to the template. This can be useful for further debugging and comparing to standard models
2) You can try running the "certutil -InstallDefaultTemplates" command
I recommend that you also consult the topic below which deals with a problem similar to yours, I believe it may be useful:
If the answer is helpful, please vote positively and accept as an answer.