Establishing key options and key archival

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Establishing key options and key archival

Windows Server 2003, Standard Edition, establishes public and private key options when issuing certificates to subjects. It also configures management and storage of the private key at that time. There are a number of settings that control the generation and management of certificate-based keys.

Setting Description

Archive subject's encryption private key

If the issuing Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, certification authority is configured for key archival, the subject's private key will be archived.

Include symmetric algorithms allowed by the subject

When the subject requests the certificate, they can supply a list of supported symmetric algorithms. This option allows the issuing certification authority to include those algorithms in the certificate, even if they are not recognized or supported by that server. The algorithms are commonly used by applications like Encrypting File System (EFS) or secure e-mail.

Minimum key size

This specifies the minimum size, in bits, of the key that will be generated for this certificate.

Cryptographic service providers

This is a list of cryptographic service providers (CSPs) that are installed on the certification authority. Selecting one or more CSPs configures the certificate to only work with those CSPs. If you do not select a CSP, the certificate works with any installed CSP.

Allow private key to be exported

When this option is specified, the subject can export their private key for backup or transportation.

Note that some of these settings are not enforced by the issuing certification authority and may be ignored.