Certificate template key length after AD upgrade

Antoine Leca 21 Reputation points
2020-09-07T07:52:12.25+00:00

My AD forest have slowly evolved from its NT4 ancestor. Certificate services were introduced when it was at 2003 level. Now I have migrated up to 2016, and the key lengths of the certificate templates are (of course) the same they were when created years ago, as are the versions and subversions.
But when I compare with my test-bed environment which is a brand new 2016 domain, while all the Microsoft templates have the same version and subversions, the key lengths changed, mostly from 1024 to 2048.

  • Did I miss some step while doing some migration, or is it something which is common to all the domains which evolved from what they were eons ago?
  • Are there migration instructions available somewhere to update the key length in my forest to keep in line with the up-to-date reference?

Antoine

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,728 questions
Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: The process of making existing applications and data work on a different computer or operating system.
408 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vadims Podāns 9,036 Reputation points MVP
    2020-09-07T09:00:31.84+00:00
    1. I never recommend to use pre-installed templates. Even if template is ok itself, I recommend to duplicate it with same settings, update key length and add comany branding to template. This may be useful to debug it further and compare with default templates.
    2. You can try to run certutil -InstallDefaultTemplates command.
    0 comments
  2. Daisy Zhou 18,706 Reputation points Microsoft Vendor
    2020-09-08T02:20:06.233+00:00

    Hello @Antoine Leca

    Thank you for posting here.

    I viewed the CA environtment in my lab, 2012 R2 domain and 2019 CA server ( 2012 R2 domain and 2016 CA server), after duplicating the certificate templates, by default, the key length on the certificate templates are 2048.

    For CA migration, if the CA environment after CA migration is healthy (we can check by opening PKIview.msc console and all the status are OK), the PKI instructure should be fine.

    For key length on the certificate templates, we can change key length when we duplicate certificate template.
    23027-key2.png

    Or we can change key length when we request certificate through MMC console.

    23019-key1.png

    We can chang the key length on the certificate templates if needed though the key length on the certificate templates changed mostly from 1024 to 2048.

    I am sorry, I can not find instructions available to update the key length.

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments