Certificate key size of domain controller to 2048 bit

WinTechie 286 Reputation points
2020-12-04T16:17:48.567+00:00

Hi,

I want to implement 2048 bit key size domain controller certificates for my domain controllers. right now they have 1024 bit key size domain controller certificate.

would like to get below steps verified (let me know if anything else i srequired).

  • create a duplicate of domain controller certificate template with minimum key size 2048 in cryptography
  • set read, enroll and autoenroll permissions
  • Issue the certificate template

Question 1: Do I have to create an explicit GPO for autoenrollment (renewal) for this new certificate template as my current 1024 domain controller certificate has no explicit GPO configured and they are renewed automatically?

Question 2: Also, once above mentioned steps are executed, will it not renew certificate from 2 different template (original domain controller and new domain controller template with 2048 key) considering existing domain controller certificates are being renewed without having any explicit autoenrollment policy

Thanks in advance for the help

Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vadims Podāns 9,186 Reputation points MVP
    2020-12-05T10:49:27.643+00:00

    Q1: yes, it is necessary to create an autoenrollment policy when using custom template. However, you may not need to create a custom template. You can utilize "Kerberos Authentication" certificate template which should have proper key length. It already has all proper permissions. And remove "Domain Controller" and "Domain Controller Authentication" templates from CAs.

    Q2: see above. Just remove unnecessary templates from CAs.

    0 comments No comments

  2. Vicky Wang 2,741 Reputation points
    2020-12-07T09:30:53.473+00:00

    》》》Do I have to create an explicit GPO for autoenrollment (renewal) for this new certificate template as my current 1024 domain controller certificate has no explicit GPO configured and they are renewed automatically?

    According to my knowledge, I suggest you create an automatic registration strategy

    》》》Also, once above mentioned steps are executed, will it not renew certificate from 2 different template (original domain controller and new domain controller template with 2048 key) considering existing domain controller certificates are being renewed without having any explicit autoenrollment policy

    As MVP said Just remove unnecessary templates from CA will do

    Hope this information can help you
    Best wishes
    Vicky

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.