Microsoft KB Archive/254150

= Microsoft Enhanced CSP Is Not Supported for Certificate Services Installations =

PSS ID Number: 254150

Article Last Modified on 10/11/2002

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q254150



SUMMARY
With the advanced installation of Certificate Services, an administrator can choose which cryptographic service provider (CSP) the Certification Authority (CA) uses for cryptographic operations. Although the Microsoft Enhanced CSP appears to be an available option, the Microsoft Enhanced CSP is not supported for use on the key pair for the CA.



MORE INFORMATION
There is no advantage or cryptographic strength increase in using the Microsoft Enhanced CSP to generate the CA's key pair. A CA performs only signing operations, which have the same limits in the Microsoft Base CSP and the Microsoft Enhanced CSP.

The primary difference between the Microsoft Base CSP and the Microsoft Enhanced CSP is the supported key size for data encryption operations. The Base CSP supports a maximum encryption key length of 1,024 bits, and the Enhanced CSP supports a maximum encryption key length of 16,384 bits.

A CA performs signing operations on issued certificates, Certificate Revocation Lists (CRLs), and the Certificate Services database. A Certification Authority (CA) does not perform any encryption operations. There is no benefit in using the Microsoft Enhanced CSP provider with Certificate Services. The maximum key length for digital signature operations for both CSPs is 16,384 bits.

There is no relationship between the signing technology that is used by the CA and the encryption capabilities of a client. A client can choose to use any supported key length for data encryption regardless of the length of the Certification Authority's key.

If Certificate Services has already been installed with the Microsoft Enhanced CSP, you can back up the CA certificate and private key and reinstall the CA. After the CA is reinstalled, select the Microsoft Base Cryptographic Service Provider, and then choose to use an existing keyset.

For information about how to back up, remove, and reinstall the Certification Authority, see:

313272 HOW TO: Back Up and Restore a Certificate Authority in Windows

231881 How to Install/Uninstall a Public Key Certificate Authority

For additional information about how to back up and restore a Microsoft Certificate Authority, click the article number below to view the article in the Microsoft Knowledge Base:

298138 HOW TO: Move a Certification Authority to Another Server

Additional query words: win2krelnotes PKI certsvc

Keywords: kbinfo KB254150

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2003 Microsoft Corporation. All rights reserved.