question

WinTechie-3187 avatar image
0 Votes"
WinTechie-3187 asked ·

Domain Conroller certificate key size

Hi,

On my domain controllers, I have "domain controller" certificate issued by sub-ordinate CA.
Domain controller certificate is having/issued with 1024 bit key size (RSA public key) whereas issuing authority certificate is with 2048 bit size

I want to make use of domain controller certificate with 2048 key size, although when I try to create a duplicate of Domain controller certificate template I see that key size in cryptography tab is already pre-populated with 2048 value as minimum key size

Hence, was wondering why do I have 1024 bit DC certificate on my domain controllers , Also would like to know the process of auto enrolling domain certificates with 2048 bit key size

windows-active-directorywindows-server-securitywindows-server-2012windows-server-management
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered ·

Hello,

Thank you so much for posting here.

There is no connection between the key size selection on a CA certificate or sub-ordinate CA, and an End-Entity certificate. An End-Entity certificate can use a key size that is larger, or smaller than that used on the CA certificate or sub-ordinate CA used to sign the End-Entity certificate.

CA has the Domain Controller template in their default template list, but it is v1 certificate template, and not support auto-enrollment by default, you need to duplicate and custom the domain controller certificate.

In my case, I tried to create a duplicate of domain controller certificate template with 1024 key size as shown below. (The CA certificate is 2048 bit key size.)Then issue this certificate template.
Once requesting the new certificate from this certificate template via Certificate MMC, it shows 1024 key size as shown below.

27856-11.png

27914-13.png

27873-12.png

If we set the auto enrollment, please make sure that the duplicated domain controller certificate template had the autoenroll permission set. And then we should use Reenroll All Certificate Holders to cause the servers to reenroll and request a different key size (assuming certificate autoenrollnent is enabled).

We could refer to the below article about this:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/rsa-keys-under-1024-bits-are-blocked/ba-p/1128997

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



11.png (23.5 KiB)
13.png (40.4 KiB)
12.png (81.1 KiB)
· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Hannah,

Thanks for the inputs!

Could you also help me with the overall process to enroll new certificate with 2048 bit key size to my domain controllers.

  • Create a duplicate template of Domain controller

  • Change template display name and template name

  • In the "Cryptography" tab add the value 2048 for minimum key size


Is there any thing else that i need adjust before submitting OK?

Also, how do I request for new certificate on my domain controllers and how my domain controllers would renew certificate next time from this new template only and not from old domain controller template

a complete process of implementing this, would be very much appreciated.. Thanks!










0 Votes 0 · ·
Crypt32 avatar image Crypt32 WinTechie-3187 ·

You don't need to duplicate certificate templates. What you only need is to remove old Domain Controller template from CAs and add Kerberos Authentication. Configure autoenrollment policy and that's all. Domain controllers will automatically pick new certificates and will automatically renew them.

0 Votes 0 · ·
Crypt32 avatar image
0 Votes"
Crypt32 answered ·

Use pre-installed Kerberos Authentication template instead.

As of autoenrollment, edit Default Domain Controllers Policy, navigate to: Coputer Configuration\Windows Settings\Security Settings\Public Key Infrastructure and enable Certificate Services Client - Auto-Enrollment. Enable both checkboxes. Make sure that Kerberos Authentication template is added to CA for issuance.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered ·

Hello,

You are welcome. Thank you so much for your feedback.

We could follow the below steps:
1, Create a duplicate template of domain controller
2, We could choose to change template display name and template name
3, In the "Cryptography" tab add the value 2048 for minimum key size
4. Set Read, Enroll and Autoenroll permissions for Domain Controllers as shown in the screenshot

28246-11.png

5, Issue the certificate template as shown in the screenshot

28282-12.png

6, Configure GPO setting for the certificate autoenrollment on DC as shown below

28140-13.png

28196-14.png

7, Run gpupdate /force on the DCs
8, Open the mmc.
Click File, and then click Add/Remove Snap-in.
In the available snap-ins list, click Certificate, and then click Add.
Then could see the enrolled certificate using "Copy of Domain Controller" certificate template.

28179-15.png
28180-16.png

To configure the Group policy for the autoenrollment, we do not need to manually request for new certificate on our domain controllers. Besides, it will automatically renew expired certificate. If we configure GPO settings for certificate auto enrollment as shown above, the domain controllers will renew certificate next time from the new template (Assume that we do not configure domain controller certificate autoenrollment policy for other certificate template).

Hope the information is helpful. Thank again. For any question, please feel free to contact us.


Best regards,
Hannah Xiong



11.png (26.2 KiB)
12.png (40.8 KiB)
13.png (58.9 KiB)
14.png (13.8 KiB)
15.png (48.3 KiB)
16.png (45.6 KiB)
· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI Hannah,

Thanks again for the detailed steps.

Although I would like to highlight that current domain controller certificate is automatically renewed without any autoenrollment policy in place within default domain controller policy (would like to know how it is getting renewed automatically)

Also, once execute mentioned steps by you, will it not renew certificate from 2 different template (original domain controller and new domain controller template with 2048 key) considering existing domain controller certificates are being renewed without having any explicit autoenrollment policy

0 Votes 0 · ·