Re: how to renew the Root CA with longer key length?



In article <OR3e0ZTSGHA.5552@xxxxxxxxxxxxxxxxxxxx>, smiths@xxxxxxxx
says...
We created our Windows 2000 Certificate Authority server back in 2002 with a
512 bit key. We now need to renew the CA since it expires in less than a
year. Is it possible to renew our CA with a new key that has a longer key
length of 4096? The "Renew CA" wizard doesn't seem to give that option.

For reference on the wizard I'm talking about, see
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/c06iis.mspx
(section "Reviewing and Renewing the Root CA Certificate").

Thanks.



You need to implement a CAPolicy.inf file in the %windir% with the new
key length settings. See the best practices whitepaper at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/ws3pkibp.mspx

Something like this should work:
[Version]
Signature= "$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
[CRLDistributionPoint]
[AuthorityInformationAccess]

Do be careful with a 4096 key length. If these words mean something in
your network, you should test before you move to 4096: Java, Cisco VPN
3000, Nortel Contivity.

Most often, you are looking at a 2048 bit key as the maximum
interoperable key length.

Brian
.



Relevant Pages

  • how to renew the Root CA with longer key length?
    ... We created our Windows 2000 Certificate Authority server back in 2002 with a ... We now need to renew the CA since it expires in less than a ... Is it possible to renew our CA with a new key that has a longer key ... The "Renew CA" wizard doesn't seem to give that option. ...
    (microsoft.public.windows.server.security)
  • Re: [ADMIN] Taking things to the Community Council
    ... On Wed, 28 Sep 2011, Cybe R. Wizard wrote: ... reactively respond or worry about having to turn up. ... Please renew the 'ubuntu-users' list for another 6 months. ...
    (Ubuntu)
  • Re: Software Assurance - Worthwhile?
    ... the SA expires. ... If you have to renew the SA it becomes a wuestion of it ... Our servers are managed and supplied by a third party support company. ... We don't have the expertise or spare hardware in-house to be swapping ...
    (microsoft.public.windows.server.networking)
  • Re: Fwd: Man page description of kinit -R
    ... tolerate small amounts of clock skew between the client and KDC. ... standard behaviour - it waits until the TGT expires, ... I would recommend trying to renew the ticket ...
    (comp.protocols.kerberos)
  • Re: Work authorisation and green card
    ... "Does anyone know how I renew my employment ... "My employment authorization runs out in 5 weeks ... And now you say your GC expires in 2007 which means you've had it ...
    (misc.immigration.usa)