Sign in
Microsoft.com
 
System Center Mobile Device Manager TechCenter
 
 
 
System Center Mobile Device Manager TechCenter > Mobility Forums > System Center Mobile Device Manager > MDM support of CNG and keylength
Ask a questionAsk a question
Search Forums:
 

AnswerMDM support of CNG and keylength

  • Thursday, October 29, 2009 1:32 PMGforumB Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Does the latest version of MDM support CNG provider (using WS08 R2 PKI) and what is the maximum key length it supports?
     

Answers

  • Sunday, November 01, 2009 8:20 PMAndreas Helland Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    CNG is a no-go. 1024 is max for devices. 2048 might work for the servers, but I'd probably go for the known and testet 1024 key length for these as well. (The server roles all require SSL, both for communicating to each other, and with the devices.)

    But if you have an enterprise 2008 PKI running you are ready to roll with SCMDM.
     

All Replies

  • Thursday, October 29, 2009 1:43 PMAndreas Helland Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    1
    Sign In to Vote
    MDM does not support CNG (as far as I know), and the maximum key length is 1024. I've tested 2048, and it does not work due to client side restrictions.
     
  • Thursday, October 29, 2009 2:34 PMGforumB Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Thanks. Would the key length only be a restriction at the Issuing CA level or the entire CA chain?
     
  • Thursday, October 29, 2009 2:43 PMAndreas Helland Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    1
    Sign In to Vote
    It just occured to me that I didn't ask you to clarify whether you had certificates on the devices in mind, or the certificates on the MDM servers :)

    To step things through properly:
    - The Windows Mobile devices are not able to generate larger key sizes through the interface the enrollment uses on the device. The devices are able to use larger key sizes, but not for the purpose of MDM.
    - The MDM servers can only run on Windows Server 2003. As I understand it you need Windows Server 2008 (or Vista SP2) to use CNG (correct me if I am wrong), and this excludes CNG on the server side.
    - I have not tried using 2048 as key size for the certificate templates that the servers use. You can generate these certificates manually though, so maybe that works.
    - SCMDM supports using a 2008 PKI, so they are compatible as such. (Were there any changes in Certifate Services in R2 from "R1" 2K8?)
     
  • Thursday, October 29, 2009 3:17 PMGforumB Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    I'm referring to the PKI "requirements" by MDM, so any aspect I need to be aware of.

    So, if I understand it, CNG is a no go for MDM deploymet and 1024 would be the key length limit?

    I'm not sure if R2 changes things. Anyone else out there know?
     
  • Sunday, November 01, 2009 8:20 PMAndreas Helland Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    CNG is a no-go. 1024 is max for devices. 2048 might work for the servers, but I'd probably go for the known and testet 1024 key length for these as well. (The server roles all require SSL, both for communicating to each other, and with the devices.)

    But if you have an enterprise 2008 PKI running you are ready to roll with SCMDM.