question

bartn92-8536 avatar image
0 Votes"
bartn92-8536 asked Crypt32 commented

Subordinate Certification Authority template increase minimum key size

Hi,

I have a two tiered on-premise PKI. Offline root and issuing subordinate CAs. I need to generate TLS proxy certificate for HTTPS inspection. I created a new certificate template by duplicating Subordinate Certification Authority. I see that by default attribute msPKI-Minimal-Key-Size for this template is set to 1024. I would like to increase it to 2048. There is no Cryptography tab in template settings so I cannot enforce minimum key size. Is there any way to override this setting?


windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered Crypt32 commented

You can specify the required key size in certificate request, this template setting for CA makes little sense since you generate keys on your (client) side and only submit it to CA for signing. Just specify desired key size when generating request.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your comment. Leaving aside the topic of Subordinate Certification Authority template, is it possible to set on the CA level minimum key size for all certificates? Or is this controlled solely by certificate templates?

0 Votes 0 ·

It is controlled by template. You cannot enforce this on CA level.

1 Vote 1 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @Bartn92-8536,

Thank you for your question.

Some recommendations below for you:

1) I never recommend using pre-installed templates. Even if the template is ok, I recommend duplicating it with the same settings, updating the key length and adding a corporate branding to the template. This can be useful for further debugging and comparing to standard models

2) You can try running the "certutil -InstallDefaultTemplates" command

I recommend that you also consult the topic below which deals with a problem similar to yours, I believe it may be useful:

https://docs.microsoft.com/en-us/answers/questions/104861/domain-conroller-certificate-key-size.html



If the answer is helpful, please vote positively and accept as an answer.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.