Re: how to renew the Root CA with longer key length?

In article <OR3e0ZTSGHA.5552@xxxxxxxxxxxxxxxxxxxx>, smiths@xxxxxxxx
We created our Windows 2000 Certificate Authority server back in 2002 with a
512 bit key. We now need to renew the CA since it expires in less than a
year. Is it possible to renew our CA with a new key that has a longer key
length of 4096? The "Renew CA" wizard doesn't seem to give that option.

For reference on the wizard I'm talking about, see
(section "Reviewing and Renewing the Root CA Certificate").


You need to implement a CAPolicy.inf file in the %windir% with the new
key length settings. See the best practices whitepaper at

Something like this should work:
Signature= "$Windows NT$"

Do be careful with a 4096 key length. If these words mean something in
your network, you should test before you move to 4096: Java, Cisco VPN
3000, Nortel Contivity.

Most often, you are looking at a 2048 bit key as the maximum
interoperable key length.