Share via

Problem issuing TLS Cert (ECC/ECDSA) using Microsoft CA

Michael Bomba 0 Reputation points
2023-09-27T06:29:33.8633333+00:00

I have a standalone enterprise CA with a signing cert based on SHA384ECDSA , ECC (384) , ECDSA_P384. I can issue User certs with similar parameters. I cannot issue TLS certs with similar parameters. The best I can do on a TLS cert is SHA384ECDSA and RSA (4096 bits). I have tried modifying templates and cannot get a combination that allows be to issue a TLS certificate that is SHA384ECDSA, ECC(384), ECDSA_P384. CA is build on Server 2016 (1607) with latest patches.

Windows for business Windows Server User experience Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,746 Reputation points
    2023-09-27T08:43:32.8933333+00:00

    Hello Michael Bomba,

    The ability to issue TLS certificates with specific parameters like SHA-384, ECC (384), and ECDSA_P384 depends on the certificate templates configured on your Certificate Authority (CA). In your case, you're using a standalone enterprise CA on Windows Server 2016. To issue TLS certificates with the desired parameters, you may need to make adjustments to the certificate templates and ensure that the CA's configuration allows these options.

    On your CA server, press Win + R, type certsrv.msc, and press Enter to open the Certification Authority MMC.

    Create a New Template or Modify an Existing One:

    In the Certification Authority MMC, right-click on "Certificate Templates" and choose "Manage."

    Duplicate an existing template that is close to your desired configuration or create a new template.

    In the template properties, go to the "Cryptography" tab.

    Configure Cryptographic Settings:

    Select "Requests must use one of the following providers" and choose a cryptographic provider that supports the desired parameters (e.g., Microsoft Software Key Storage Provider for ECC/ECDSA).

    Specify Key Size and Algorithm:

    Set the key size and algorithm according to your requirements (e.g., ECC 384-bit, ECDSA_P384).

    Configure Hash Algorithm:

    In the same template properties, go to the "Extensions" tab and select "Application Policies."

    Add an application policy for "Server Authentication" (OID 1.3.6.1.5.5.7.3.1).

    In the "Security" tab, grant the necessary permissions to allow your CA to issue certificates based on this template.

    Issue or Reissue the Certificate:

    After creating or modifying the template, go back to the Certification Authority MMC.

    Right-click on "Certificate Templates" and choose "New," then "Certificate Template to Issue."

    Select the template you created or modified.

    Reference: https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-server-certificate-template

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.