Checklist on building an Offline Root & Intermediate Certificate Authority (CA)
Microsoft allows a CA to use Cryptography Next Generation (CNG) and advises of incompatibility issues for clients that do not support this suite.
Here is an image of the default cryptography settings for a 2008 R2 CA. This machine is a n…