• caglararli@hotmail.com
  • 05386281520

Checklist on building an Offline Root & Intermediate Certificate Authority (CA)

Çağlar Arlı      -    16 Views

Checklist on building an Offline Root & Intermediate Certificate Authority (CA)

Microsoft allows a CA to use Cryptography Next Generation (CNG) and advises of incompatibility issues for clients that do not support this suite.

Here is an image of the default cryptography settings for a 2008 R2 CA. This machine is a non-domain connected Standalone CA:

Default Cryptography settings

Here are the installed providers. The CNG providers are marked with a # sign

enter image description here

My intent is to have a general-purpose offline Root-CA and then several Intermediate CAs that serve a specific purpose (MSFT-only vs Unix vs SmartCards etc)

What are the ideal settings for a Root Certificate with an expiration of 5, 10, and 15 years?

  1. CSP
  2. Signing Certificate
  3. Key Character Length

Since this is a RootCA, do any of the parameters affect low powered CPU (mobile devices)