Certificate template compatibility questions

Question

Good afternoon everyone,

I often works on PKI projects, I have two questions and I would like to hear your recommendations and point of view :

#1 - What are the best practices regarding certificates templates compatibility settings (Certification Authority & Certificate Recipient) ?
The concept is clear. However, as Vadims points out in his answer here (https://social.msdn.microsoft.com/Forums/en-US/970154fa-908f-4460-8df4-9b89aee6afc1/adcs-templates-compatibility-question?forum=winserversecurity), there may be some side effects with applications. This post is 5 years old, do you have any recommendations or updates ?

#2 - What would you recommend regarding the Cryptographic Service Providers ?
This post is really clear : https://www.pkisolutions.com/understanding-microsoft-crypto-providers/. I woud like to know if you have any recommendation, warning or complementary advice about using recent CSP.

As usual, thank you for your time !

Answer 1

.NET added very solid CNG support in last couple years, so developers easily can add CNG support in their applications. It is what was significantly changed since I wrote that post. World moves toward CNG (modern) crypto. However, the question is too broad and I would configure every template according to intended purpose and applications that will utilize certificates. If you would clarify your question to be more specific, then I maybe could add more specific recommendations.

Answer 2

Both questions were indeed broad, but writing this initial post made me realize several things, and your answer also helped me !

Thank you for your answer ! If I have more specific questions, I will come back !.