Share via

Microsoft Enhanced RSA and AES Cryptographic Provider option missing while installing ADCS

Roni Joseph 10 Reputation points
2025-02-25T08:23:49.14+00:00

Trying to install an ADCS on windows server 2019 standard.

Requirement is to bring up Certificate Authority with AES encryption instead of 3DES (for SCEP).

  1. While deploying ADCS, In select a cryptography provider drop down , this "Microsoft Enhanced RSA and AES Cryptographic Provider" option is missing. why ?
  2. Is there any alternate way to bring up Certificate Authority with AES
  3. Which Windows Server version support AES instead of 3DES

Tried also using Powershell 7 but it failed

PS C:> Install-AdcsCertificationAuthority –CAType StandaloneRootCa –CACommonName “MSCA-AES” –KeyLength 2048 –HashAlgorithmName SHA256 –CryptoProviderName "Microsoft Enhanced RSA and AES Cryptographic Provider"

Install-AdcsCertificationAuthority: The term 'Install-AdcsCertificationAuthority' is not recognized as a name of a cmdlet, function, script file, or executable program.

Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

PS C

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,975 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Roni Joseph 10 Reputation points
    2025-02-27T08:26:25.89+00:00

    Thanks Alex.

    csplist shows Microsoft Enhanced RSA and AES Cryptographic Provider but somehow its missing in UI. Only this CSP option is missing from the cryptographic provider drop down

    I tried with both FIPS and non-FIPS. FIPS is expected to support AES. Thats why i tried with FIPS mode

    Powershell I am running as administrator

    ———————————————————————

    PS C:\Users\Administrator.WIN-WDFGDFGTT54>  Import-Module ADCSDeployment

    Import-Module: The specified module 'ADCSDeployment' was not loaded because no valid module file was found in any module directory.

    ———————————————————————

    PS C:\Users\Administrator.WIN-WDFGDFGTT54> certutil -csplist

    Provider Name: Microsoft Base Cryptographic Provider v1.0

    Provider Type: 1 - PROV_RSA_FULL

    Provider Name: Microsoft Base DSS and Diffie-Hellman Cryptographic Provider

    Provider Type: 13 - PROV_DSS_DH

    Provider Name: Microsoft Base DSS Cryptographic Provider

    Provider Type: 3 - PROV_DSS

    Provider Name: Microsoft Base Smart Card Crypto Provider

    Provider Type: 1 - PROV_RSA_FULL

    Provider Name: Microsoft DH SChannel Cryptographic Provider

    Provider Type: 18 - PROV_DH_SCHANNEL

    Provider Name: Microsoft Enhanced Cryptographic Provider v1.0

    Provider Type: 1 - PROV_RSA_FULL

    Provider Name: Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider

    Provider Type: 13 - PROV_DSS_DH

    Provider Name: Microsoft Enhanced RSA and AES Cryptographic Provider

    Provider Type: 24 - PROV_RSA_AES

    Provider Name: Microsoft RSA SChannel Cryptographic Provider

    Provider Type: 12 - PROV_RSA_SCHANNEL

    Provider Name: Microsoft Strong Cryptographic Provider

    Provider Type: 1 - PROV_RSA_FULL

    Provider Name: Microsoft Software Key Storage Provider

     Provider Name: Microsoft Passport Key Storage Provider

     Provider Name: Microsoft Platform Crypto Provider

    Microsoft Platform Crypto Provider: The device that is required by this cryptographic provider is not ready for use.

    Provider Name: Microsoft Smart Card Key Storage Provider

    CertUtil: -csplist command FAILED: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)

    CertUtil: The device that is required by this cryptographic provider is not ready for use.

    User's image

    1 person found this answer helpful.
    0 comments
  2. Alex Burlachenko 1,745 Reputation points
    2025-02-25T08:33:48.0266667+00:00

    Hey Roni,

    that AES provider should be there on Server 2019, so if it’s missing, something’s up. Maybe it’s not installed, or maybe u gotta enable it. u can check by running certutil -csplist in PowerShell. That’ll show u all the crypto providers on your server. If the AES one isn’t there, u might need to turn it on manually. But be careful with that, ‘cause messing with the registry can get dicey. Backup first, yeah?

    Now, about that PowerShell error u got—it’s saying it doesn’t recognize the Install-AdcsCertificationAuthority command. That’s ‘cause u gotta load the ADCS module first. Just run Import-Module ADCSDeployment before u try the install command again. Oh, and make sure u’re running PowerShell as admin, or it’ll just give u the cold shoulder.

    If u still can’t get the AES provider to show up, u might need to tweak some settings. Maybe check if the server is in FIPS mode or something, ‘cause that can block certain providers. Or u might need to enable the provider via Group Policy. It’s a bit of a hassle, but u gotta do what u gotta do, right?

    And just so u know, AES is supported on Server 2012 and up, so u’re good with 2019. It’s just about getting that provider to show its face.

    So, quick recap....

    1 Check if the AES provider is there with certutil -csplist.

    2 Load the ADCS module in PowerShell with Import-Module ADCSDeployment.

    3 Run the install command again.

    4 If the provider’s still missing, u might need to enable it manually or check your server config.

    Hope that helps,

    rgds,

    Alex

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.