Cryptography

Applies To: Windows Server 2008 R2

The Cryptography tab is available for version 3 certificate templates. This tab replaces the cryptographic service provider (CSP) selection dialog box used to select CSPs for version 2 certificate templates. The Cryptography tab is used to configure the following properties:

  • Algorithm name. Select an algorithm that the issued certificate's key pair will support. The list displays only algorithms that support the cryptographic operations required for the certificate purpose that is selected on the Request Handling tab. The following table describes the relationship between the certificate purpose and the available algorithms.

    Purpose Algorithms

    Encryption

    ECDH_P256
    ECDH_P384
    ECDH_P521
    RSA

    Signature

    DSA
    ECDSA_P256
    ECDSA_P384
    ECDSA_P521
    RSA

    Signature and encryption

    ECDH_P256
    ECDH_P384
    ECDH_P521
    RSA

    Signature and smart card logon

    ECDH_P256
    ECDH_P384
    ECDH_P521
    RSA

  • Minimum key size. This option allows you to specify a minimum required size for the keys used with the chosen algorithm. By default, the minimum key length supported on the computer for the chosen algorithm will be used.

  • Providers. Version 2 templates offer a list of CryptoAPI CSPs, while version 3 templates offer a dynamically populated list of Cryptography Next Generation (CNG) providers. This list is populated with all providers available on the computer that meet the criteria specified by a combination of the following configuration options: Algorithm name and Minimum key size on the Cryptography tab, and Purpose and Allow private key to be exported on the Request Handling tab.

  • Hash algorithm. This option allows you to choose an advanced hash algorithm. By default, the following algorithms are available: AES-GMAC, MD2, MD4, MD5, SHA1, SHA256, SHA384, and SHA512.

  • Use alternate signature format. When the RSA algorithm is selected, this check box allows you to specify that certificate requests created for this template include a discrete signature in PKCS #1 V2.1 format.

Note

This setting applies to the certificate request only, not the certificate that is issued by the CA from this template.

Additional references