Click here to get back home

how to renew the Root CA with longer key length?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
how to renew the Root CA with longer key length? Steve 03-16-2006
Get Chitika Premium
Posted by Steve on March 16, 2006, 3:16 pm
Please log in for more thread options
 We created our Windows 2000 Certificate Authority server back in 2002 with a
512 bit key. We now need to renew the CA since it expires in less than a
year. Is it possible to renew our CA with a new key that has a longer key
length of 4096? The "Renew CA" wizard doesn't seem to give that option.

For reference on the wizard I'm talking about, see
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/c06iis.mspx
(section "Reviewing and Renewing the Root CA Certificate").

Thanks.



Posted by Brian Komar [MVP] on March 16, 2006, 4:38 pm
Please log in for more thread options
 says...
> We created our Windows 2000 Certificate Authority server back in 2002 with a
> 512 bit key. We now need to renew the CA since it expires in less than a
> year. Is it possible to renew our CA with a new key that has a longer key
> length of 4096? The "Renew CA" wizard doesn't seem to give that option.
>
> For reference on the wizard I'm talking about, see
>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/c06iis.mspx
> (section "Reviewing and Renewing the Root CA Certificate").
>
> Thanks.
>
>
>
You need to implement a CAPolicy.inf file in the %windir% with the new
key length settings. See the best practices whitepaper at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/ws3pkibp.mspx

Something like this should work:
[Version]
Signature= "$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
[CRLDistributionPoint]
[AuthorityInformationAccess]

Do be careful with a 4096 key length. If these words mean something in
your network, you should test before you move to 4096: Java, Cisco VPN
3000, Nortel Contivity.

Most often, you are looking at a 2048 bit key as the maximum
interoperable key length.

Brian

Posted by Steve on March 17, 2006, 11:12 am
Please log in for more thread options
Thanks Brian! I appreciate the info. I'll check it out.



Similar ThreadsPosted
Root certificate authority no longer added to client machines July 14, 2006, 4:05 pm
renew CA certificate September 19, 2005, 3:27 pm
CA cert renew July 18, 2007, 9:07 am
Renew Certificate Automatically April 14, 2006, 7:34 pm
How to renew a certificate via CertEnroll web page September 28, 2006, 9:26 am
NET command can't handle groups longer then 15 characters September 6, 2005, 1:03 am
vista domain clients no longer see USB drives June 9, 2008, 7:05 pm
Admin shares no longer accessible for users not in domain admins April 22, 2006, 8:09 am
GPO Password length not working August 19, 2005, 3:45 pm
minimum password length June 21, 2006, 10:15 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap