Guidelines for Using Alternate Signature Formats

Applies To: Windows Server 2008

Selecting the option Use alternate signature formats implements the PKCS #1 v2.1 signature format for certificates.

For certificates based on RSA algorithms, PKCS #1 v2.1 specifies separate object identifiers for the hash algorithm and for the asymmetric algorithm. (In PKCS #1 v.1.5, only one object identifier is used to identify both the hash and asymmetric algorithms.) In addition, if you select the alternate signature format for certificates based on RSA algorithms, an enhanced cryptographic formula is used to create the signature.

For certificates not based on RSA algorithms, selecting Use alternate signature formats specifies separate object identifiers for the hash algorithm and for the asymmetric algorithm.

Before using the alternate signature format in your certificates, you need to verify that your clients' CAs and clients can accept these signature formats. Earlier versions of Windows cannot validate certificates that use the alternate signature format. In addition, certificates issued by using the alternate signature format might not be compatible with non-Microsoft certification authorities or non-Microsoft clients.

For more information about PKCS #1 v.2.1, see PKCS #1: RSA Cryptography Standard (https://go.microsoft.com/fwlink/?LinkId=66621) on the RSA Laboratories Web site.

For more information about the RSA implementation of the signature format, see Raising the Standard for RSA Signatures: RSA-PSS (https://go.microsoft.com/fwlink/?LinkId=66622) on the RSA Laboratories Web site.