New Certification Authority - PKI: chain with key lenght at 4096 bit, impacts and Hybrid Chain.

49885604 145 Reputation points

Hi everyone,

I have to create a new PKI and I would like to know if I can create a 4096 key for the RootCA certificate, for the Issuing CA and for all the Certification Authority services (WebEnrollment, NDES, OCSP etc...). Obviously I would also like to create 4096 templates and certificates, are there best practices for the impacts on clients, servers, devices and platforms with a completely 4096 chain?

Would it be possible to create a chain at 4096 up to the IssuingCA and then create template\certificates at 2048?

The Operating System I would like to use is Windows Server 2022.

Thanks in advance,


Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,538 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,410 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,060 questions
0 comments No comments
{count} votes