Cryptography

Applies To: Windows Server 2008

A new Cryptography tab is available for version 3 certificate templates in Windows Server® 2008. This tab replaces and extends the cryptographic service provider (CSP) selection dialog box accessible by clicking the CSPs button on the Request Handling tab of a version 2 certificate template. The Cryptography tab contains the following options:

  • Algorithm name. This option allows you to select an advanced algorithm for encryption, signing, or both (depending on the template's purpose). By default, the following algorithms are available: DSA, ECDH_P256, ECDH_P384, ECDH_P521, ECDSA_P256, ECDSA_P384, ECDSA_P521, and RSA. Only the algorithms that are available for a specific certificate template purpose will be listed.

  • Minimum key size. This option allows you to specify a minimum required size for the keys used with the chosen algorithm. By default, the minimum key length supported on the computer for the chosen algorithm will be used.

  • Providers. Version 2 templates offered a list of CryptoAPI CSPs, while version 3 templates offer a dynamically populated list of Cryptography Next Generation (CNG) providers. This list is populated with all providers available on the computer that meet the criteria specified by a combination of the following configuration options: Algorithm name and Minimum key size on the Cryptography tab, and Purpose and Allow private key to be exported on the Request Handling tab.

  • Hash algorithm. This option allows you to choose an advanced hash algorithm. By default, the following algorithms are available: AES-GMAC, MD2, MD4, MD5, SHA1, SHA256, SHA384, and SHA512.

  • Use alternate signature format. When the RSA algorithm is selected, this check box allows you to specify that certificate requests created for this template include a discrete signature in PKCS #1 V2.1 format.

Note

This setting applies to the certificate request only, not the certificate that is issued by the CA from this template.

Additional references