locked
PKI sha and key lenght vs. Certificate Templates RRS feed

  • Question

  • Hi, we run a private Windows Enterprise PKI with Template Support. Now we have several templates defined for webserver, exchagne services....

    I just had an issue with Exchange 2016 and TLS1.2 SHA512 (which seems to be an issue), and therefor I had to issue a certificte with sha256.

    While my template I used for this certificate is set to RSA, SHA256, my issued certificate always showed SHA512. No idea why, until I figured out that based on "certutil -getreg ca\csp\CNGHashAlgorithm" my PKI setting was "CNGHashAlgorithm REG_SZ = SHA512". Now I thought, this might be kind of a minimal setting, and therefor no certificate is issued with less than sha512. I changed that to sha256, now my certificates are issued with sah256, but only 256. Even though I use a certificate template with sha512, no mater, the issued certificate is just sha256. The same bevahiour happens with public key lenght. There must be a min. public key lenght set to 4096 on my PKI, do not know where, which leads to the fact that even though I use a certificate template with key lenght set to 2048, it always issues certificates with 4096.

    Now, my question is, if sha and public key lenght are centrally configured per PKI, why do I have these options in templates to set. They don't apply anyway. Or how does this work, actually? Our PKI is Win 2008 R2-based.

    This is what I experienced at least, maybe I am wrong and did some mistake, however, I am not a SSL expert. 

    kind regards,

    Dieter Tontsch

    mobileX AG

    Wednesday, June 8, 2016 12:08 PM

Answers

  • The setting in the template says "Request Hash" - it only sets the preferred hash for the CSR that goes to the CA. It has no bearing on the hash used to sign the certificate request. A CA can only have a single value defined for the signature hash and it is used for everything the CA signs - all certificates, crls, etc.. The value CNGHashAlgorithm defines what that system wide hash value is. There is no way to use a different hash for different templates.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    Wednesday, June 8, 2016 3:50 PM
  • A certificate lifetime is bound by three things. I would suggest you check all three of these in your situation.

    1) It can not be longer than the ValidityPeriodUnits

    2) It can not be valid past the expiration of the CA itself

    3) The validity period duration specified in the template you are enrolling with.


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    Thursday, June 9, 2016 1:29 PM

All replies

  • The setting in the template says "Request Hash" - it only sets the preferred hash for the CSR that goes to the CA. It has no bearing on the hash used to sign the certificate request. A CA can only have a single value defined for the signature hash and it is used for everything the CA signs - all certificates, crls, etc.. The value CNGHashAlgorithm defines what that system wide hash value is. There is no way to use a different hash for different templates.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    Wednesday, June 8, 2016 3:50 PM
  • Thanks,

    very good explanation, I do understand it better now.

    Dieter

    Thursday, June 9, 2016 5:31 AM
  • Hi, the above answer helped me. But now I wonder about valitidy period. Following http://www.expta.com/2010/08/how-to-create-certificates-with-longer.html I have changed RenewalValidityPeriodUnits to 5 years (was default 2).

    ValidityPeriodUnits REG_DWORD = 5

    But still, even after restarting CertSRV service, I cannot issue certificates longer than 2 years. My templates I use, have set 5 years. Any idea why? I even have removed template and added it again to be issued, no difference.

    Dieter


    Thursday, June 9, 2016 6:53 AM
  • A certificate lifetime is bound by three things. I would suggest you check all three of these in your situation.

    1) It can not be longer than the ValidityPeriodUnits

    2) It can not be valid past the expiration of the CA itself

    3) The validity period duration specified in the template you are enrolling with.


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    Thursday, June 9, 2016 1:29 PM
  • Ah, I am aware of the above and everything is fine.

    Just in my tests I was wondering why my certificate is still only issued for 2 years. But indeed, the PKI certificate itself only is valid until July 7th 2018, which is arround 2 years from now. I did not have a closer look, just saw 2018 and got angry :-)....

    Thanks.

    Friday, June 10, 2016 2:12 PM
  • Hi,

    Glad to hear that everything's fine!

    Please feel free to let us know if there are any further requirements.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 13, 2016 1:53 AM