Certificate template key length after AD upgrade

Antoine Leca 21 Reputation points
2020-09-07T07:52:12.25+00:00

My AD forest have slowly evolved from its NT4 ancestor. Certificate services were introduced when it was at 2003 level. Now I have migrated up to 2016, and the key lengths of the certificate templates are (of course) the same they were when created years ago, as are the versions and subversions.
But when I compare with my test-bed environment which is a brand new 2016 domain, while all the Microsoft templates have the same version and subversions, the key lengths changed, mostly from 1024 to 2048.

  • Did I miss some step while doing some migration, or is it something which is common to all the domains which evolved from what they were eons ago?
  • Are there migration instructions available somewhere to update the key length in my forest to keep in line with the up-to-date reference?

Antoine

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,297 questions
Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
307 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Vadims Podāns 8,081 Reputation points Microsoft MVP
    2020-09-07T09:00:31.84+00:00
    1. I never recommend to use pre-installed templates. Even if template is ok itself, I recommend to duplicate it with same settings, update key length and add comany branding to template. This may be useful to debug it further and compare with default templates.
    2. You can try to run certutil -InstallDefaultTemplates command.
    No comments

  2. Daisy Zhou 12,916 Reputation points Microsoft Employee
    2020-09-08T02:20:06.233+00:00

    Hello @Antoine Leca

    Thank you for posting here.

    I viewed the CA environtment in my lab, 2012 R2 domain and 2019 CA server ( 2012 R2 domain and 2016 CA server), after duplicating the certificate templates, by default, the key length on the certificate templates are 2048.

    For CA migration, if the CA environment after CA migration is healthy (we can check by opening PKIview.msc console and all the status are OK), the PKI instructure should be fine.

    For key length on the certificate templates, we can change key length when we duplicate certificate template.
    23027-key2.png

    Or we can change key length when we request certificate through MMC console.

    23019-key1.png

    We can chang the key length on the certificate templates if needed though the key length on the certificate templates changed mostly from 1024 to 2048.

    I am sorry, I can not find instructions available to update the key length.

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments