Guidelines for Using Alternate Signature Formats
Applies To: Windows 7, Windows Server 2008 R2
Selecting the option Use alternate signature formats implements the PKCS #1 v2.1 signature format for certificates.
For certificates based on RSA algorithms, PKCS #1 v2.1 specifies separate object identifiers for the hash algorithm and for the asymmetric algorithm. (In PKCS #1 v.1.5, only one object identifier is used to identify both the hash and asymmetric algorithms.) In addition, if you select the alternate signature format for certificates based on RSA algorithms, an enhanced cryptographic formula is used to create the signature.
For certificates not based on RSA algorithms, selecting Use alternate signature formats specifies separate object identifiers for the hash algorithm and for the asymmetric algorithm.
Before using the alternate signature format in your certificates, you need to verify that certification authorities (CAs) and client computers can accept these signature formats. Versions of Windows earlier than Windows Server 2008 cannot validate certificates that use the alternate signature format. In addition, certificates issued by using the alternate signature format might not be compatible with CAs or client computers that are not running Windows.
For more information about PKCS #1 v.2.1, see PKCS #1: RSA Cryptography Standard (http://go.microsoft.com/fwlink/?LinkId=66621) on the RSA Laboratories Web site.
For more information about the RSA implementation of the signature format, see Raising the Standard for RSA Signatures: RSA-PSS (http://go.microsoft.com/fwlink/?LinkId=66622) on the RSA Laboratories Web site.