Domain Conroller certificate key size

WinTechie 281 Reputation points
2020-09-23T15:16:22.657+00:00

Hi,

On my domain controllers, I have "domain controller" certificate issued by sub-ordinate CA.
Domain controller certificate is having/issued with 1024 bit key size (RSA public key) whereas issuing authority certificate is with 2048 bit size

I want to make use of domain controller certificate with 2048 key size, although when I try to create a duplicate of Domain controller certificate template I see that key size in cryptography tab is already pre-populated with 2048 value as minimum key size

Hence, was wondering why do I have 1024 bit DC certificate on my domain controllers , Also would like to know the process of auto enrolling domain certificates with 2048 bit key size

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,525 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,817 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
419 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,717 questions
0 comments
Accepted answer
  1. Hannah Xiong 6,231 Reputation points
    2020-09-24T02:51:12.077+00:00

    Hello,

    Thank you so much for posting here.

    There is no connection between the key size selection on a CA certificate or sub-ordinate CA, and an End-Entity certificate. An End-Entity certificate can use a key size that is larger, or smaller than that used on the CA certificate or sub-ordinate CA used to sign the End-Entity certificate.

    CA has the Domain Controller template in their default template list, but it is v1 certificate template, and not support auto-enrollment by default, you need to duplicate and custom the domain controller certificate.

    In my case, I tried to create a duplicate of domain controller certificate template with 1024 key size as shown below. (The CA certificate is 2048 bit key size.)Then issue this certificate template.
    Once requesting the new certificate from this certificate template via Certificate MMC, it shows 1024 key size as shown below.

    27856-11.png

    27914-13.png

    27873-12.png

    If we set the auto enrollment, please make sure that the duplicated domain controller certificate template had the autoenroll permission set. And then we should use Reenroll All Certificate Holders to cause the servers to reenroll and request a different key size (assuming certificate autoenrollnent is enabled).

    We could refer to the below article about this:

    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/rsa-keys-under-1024-bits-are-blocked/ba-p/1128997

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vadims Podāns 8,866 Reputation points MVP
    2020-09-23T18:51:50.197+00:00

    Use pre-installed Kerberos Authentication template instead.

    As of autoenrollment, edit Default Domain Controllers Policy, navigate to: Coputer Configuration\Windows Settings\Security Settings\Public Key Infrastructure and enable Certificate Services Client - Auto-Enrollment. Enable both checkboxes. Make sure that Kerberos Authentication template is added to CA for issuance.

    0 comments
  2. Hannah Xiong 6,231 Reputation points
    2020-09-25T06:09:36.843+00:00

    Hello,

    You are welcome. Thank you so much for your feedback.

    We could follow the below steps:
    1, Create a duplicate template of domain controller
    2, We could choose to change template display name and template name
    3, In the "Cryptography" tab add the value 2048 for minimum key size
    4. Set Read, Enroll and Autoenroll permissions for Domain Controllers as shown in the screenshot

    28246-11.png

    5, Issue the certificate template as shown in the screenshot

    28282-12.png

    6, Configure GPO setting for the certificate autoenrollment on DC as shown below

    28140-13.png

    28196-14.png

    7, Run gpupdate /force on the DCs
    8, Open the mmc.
    Click File, and then click Add/Remove Snap-in.
    In the available snap-ins list, click Certificate, and then click Add.
    Then could see the enrolled certificate using "Copy of Domain Controller" certificate template.

    28179-15.png
    28180-16.png

    To configure the Group policy for the autoenrollment, we do not need to manually request for new certificate on our domain controllers. Besides, it will automatically renew expired certificate. If we configure GPO settings for certificate auto enrollment as shown above, the domain controllers will renew certificate next time from the new template (Assume that we do not configure domain controller certificate autoenrollment policy for other certificate template).

    Hope the information is helpful. Thank again. For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong