Generating a Root CA Certificate?
![David Cross [MS]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjXg-NO9oZVfQZU6XOhm2yEidcTQB1BUlpB5RFMoogQU45fyqxSE=s40-c)
David Cross [MS]
should be able to type in that key value during the install wizard. You
must choose a CSP that supports that key size like the MSFT Enhanced
provider. You may find that some third party apps or services do not
support that large of a key size, so be aware... mainly only the Unix
side...
What CSP are you using?
--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Jason Penn" <pe...@netcom.com> wrote in message
news:0db701c23f35$a0be2e30$9ae62ecf@tkmsftngxa02...
> I'm setting up a Root Certificate Authority, but the
> Certificate Services Install Wizard won't let you generate
> keys larger then 4096 bit.
>
> We require 16384 bit keys for all CA's. I figured I could
> generate a proper key on another CA and import it, but I
> can only select "Subordinant CA" template. (I have
> added "Everyone-Full Control" permissions to the CA
> Template in AD Sites and Services, but it still can't be
> selected as a template)
>
> If I use the SubCA template (which I assume is close
> enough) the key will generate and import/export fine in an
> x.509 or PKCS#7 format.
>
> The wizard will allow you to import a key, but only with a
> PKCS#12 format. I can't find any way to export a SubCA key
> in a PKCS#12 format. (PKCS12 is a personal exchange format
> and doesn't seem applicable to a CA Certificate)
>
>
> Does anyone know how I can solve this issue?
>
> I basically just need the Certificate Services to use or
> generate a 16384 key for creating the root CA.
>
> Thanks,
> Jason
Jason Penn
wizard will not allow you you select a key size > 4096 in
either Win2000 or WinNET.
What I did to resolve the issue (I think)was basically:
1. Install Certificate Services on a Win2000 Advanved
Server.
2. Request a Sub-CA Certificate from a WinNET RC1 Server.
3. Export the key in WinNET to a PKCS#12 .pfx file.
(Win2000 would only allow export to a .pvk file)
4. Copy the new exported key to the Win2000 Server.
5. Uninstall Certificate Services.
6. Import the Sub-CA key into the private store.
7. Reinstall Certificate Services - Using the Key from
private store, but not the associated certificate.
This produced a Self-Issued Root CA key at 16384 bit using
the MS Enhanced CSP.
I then had to basically do the reverse again from the .NET
server as a Sub-CA, since the .NET Certificate Install
wizard wouldn't allow a key size > 4096 either.
The two server certificates appear to be correct. They
show as validated - but they don't appear in the
Certificate Server Issued Store and I got errors in the
event log saying:
"Automatic enrollment against the certification authority
Systems Experience CA-1 for a certificate of type
DomainController has failed. (0x800706ba) The RPC server
is unavailable.
. Another certification authority will be tried"
Also - every time the two servers connect to each other,
(For an Active Directory Replication for example) I get
multiple certificates added to both the Root and
Intermediate CA Store in each of the CA's CN. These NEW
certificates are 512, 1024, and 4096 bit respectively -
and show as an invalid certificate that can't be verified
in the trust chain.
Although the 16384 Root and Sub-CA certificates - APPEAR
valid, I'm not sure they are. I'll try issueing some
additional certificates tonight and see if they work.
Any Idea's on what could be wrong?
Jason Penn
>.
>
D. Cross [MS]
the CA if the wizard does not allow it.
This should be documented in the help files.
--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Jason Penn" <pe...@netcom.com> wrote in message
news:2f0d01c24511$d9244a70$35ef2ecf@TKMSFTNGXA11...
D. Cross [MS]
It will work fine - just tried myself on .NET
--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Jason Penn" <pe...@netcom.com> wrote in message
news:2f0d01c24511$d9244a70$35ef2ecf@TKMSFTNGXA11...