Re: how to renew the Root CA with longer key length?
- From: Brian Komar [MVP] <bkomar@xxxxxxxxxxxxxxxxx>
- Date: Thu, 16 Mar 2006 15:38:51 -0600
In article <OR3e0ZTSGHA.5552@xxxxxxxxxxxxxxxxxxxx>, smiths@xxxxxxxx
says...
We created our Windows 2000 Certificate Authority server back in 2002 with aYou need to implement a CAPolicy.inf file in the %windir% with the new
512 bit key. We now need to renew the CA since it expires in less than a
year. Is it possible to renew our CA with a new key that has a longer key
length of 4096? The "Renew CA" wizard doesn't seem to give that option.
For reference on the wizard I'm talking about, see
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/c06iis.mspx
(section "Reviewing and Renewing the Root CA Certificate").
Thanks.
key length settings. See the best practices whitepaper at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/ws3pkibp.mspx
Something like this should work:
[Version]
Signature= "$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
[CRLDistributionPoint]
[AuthorityInformationAccess]
Do be careful with a 4096 key length. If these words mean something in
your network, you should test before you move to 4096: Java, Cisco VPN
3000, Nortel Contivity.
Most often, you are looking at a 2048 bit key as the maximum
interoperable key length.
Brian
.
- Follow-Ups:
- References:
- how to renew the Root CA with longer key length?
- From: Steve
- how to renew the Root CA with longer key length?
- Prev by Date: Re: Reporting tool for NTFS rights on a server share
- Next by Date: CACLS on MetaBase.xml for IUSR_machinename
- Previous by thread: how to renew the Root CA with longer key length?
- Next by thread: Re: how to renew the Root CA with longer key length?
- Index(es):
Relevant Pages
|
