31May
Checklist on building an Offline Root & Intermediate Certificate Authority (CA)
Microsoft allows a CA to use Cryptography Next Generation (CNG) and advises of incompatibility issues for clients that do not support this suite.
Here is an image of the default cryptography settings for a 2008 R2 CA. This machine is a non-domain connected Standalone CA:
Here are the installed providers. The CNG providers are marked with a # sign
My intent is to have a general-purpose offline Root-CA and then several Intermediate CAs that serve a specific purpose (MSFT-only vs Unix vs SmartCards etc)
What are the ideal settings for a Root Certificate with an expiration of 5, 10, and 15 years?
- CSP
- Signing Certificate
- Key Character Length
Since this is a RootCA, do any of the parameters affect low powered CPU (mobile devices)
