Re: how to renew the Root CA with longer key length?



In article <OR3e0ZTSGHA.5552@xxxxxxxxxxxxxxxxxxxx>, smiths@xxxxxxxx
says...
We created our Windows 2000 Certificate Authority server back in 2002 with a
512 bit key. We now need to renew the CA since it expires in less than a
year. Is it possible to renew our CA with a new key that has a longer key
length of 4096? The "Renew CA" wizard doesn't seem to give that option.

For reference on the wizard I'm talking about, see
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/maintain/featusability/c06iis.mspx
(section "Reviewing and Renewing the Root CA Certificate").

Thanks.



You need to implement a CAPolicy.inf file in the %windir% with the new
key length settings. See the best practices whitepaper at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/ws3pkibp.mspx

Something like this should work:
[Version]
Signature= "$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
[CRLDistributionPoint]
[AuthorityInformationAccess]

Do be careful with a 4096 key length. If these words mean something in
your network, you should test before you move to 4096: Java, Cisco VPN
3000, Nortel Contivity.

Most often, you are looking at a 2048 bit key as the maximum
interoperable key length.

Brian
.