Error installed AD CS using "RSA#Microsoft Enhanced RSA and AES Cryptographic Storage Provider"

Question

Hello

If I installed AD CS as follows (on Windows 2019 Server Core)

Install-AdcsCertificationAuthority –CAType EnterpriseSubordinateCA –CACommonName "Core-CA-02" `

–KeyLength 2048 –HashAlgorithmName SHA256 `

–CryptoProviderName "RSA#Microsoft Software Key Storage Provider"

The above works no problem

If I change the –CryptoProviderName to the following

–CryptoProviderName 'RSA#Microsoft Enhanced RSA and AES Cryptographic Storage Provider'

It fails to install
(I can use the 'Microsoft Enhanced RSA and AES Cryptographic Storage Provider' via a GUI install with no issues, this this is Windows Server Core so no GUI). So I know it is not the CryptoProviderName (unless the syntax is slightly wrong as you have to add RSA# to the beginning of the name.

I do not have the exact error message to hand at the moment (apologies), but it is something along the lines of

Incorrect parameter, or unrecognized parameter

Any ideas please?

thanks in advance

CXMelga

Answer 1

Actual provider name is "Microsoft Enhanced RSA and AES Cryptographic Provider" without "RSA#" prefix. The reason behind "RSA#" prefix is that Microsoft KSP support different types of asymmetric algorithms such as RSA, ECDSA (with different curves). "Microsoft Enhanced RSA and AES Cryptographic Provider" supports only RSA, so prefix is redundant.

Note: "Microsoft Enhanced RSA and AES Cryptographic Provider" provider use for CA is strongly discouraged, because it is a legacy provider which doesn't support enhanced features provided by CNG subsystem and may get limited set of supported algorithms.

Answer 2

Hi @Charlie Melga

It seems that the syntax is not correct :

Did your try use –CryptoProviderNam Microsoft Enhanced RSA and AES Cryptographic Provider ?

Please don't forget to mark helpful answer as accepted