question

WinTechie-3187 avatar image
0 Votes"
WinTechie-3187 asked VickyWang-MFST answered

Certificate key size of domain controller to 2048 bit

Hi,

I want to implement 2048 bit key size domain controller certificates for my domain controllers. right now they have 1024 bit key size domain controller certificate.

would like to get below steps verified (let me know if anything else i srequired).

  • create a duplicate of domain controller certificate template with minimum key size 2048 in cryptography

  • set read, enroll and autoenroll permissions

  • Issue the certificate template

Question 1: Do I have to create an explicit GPO for autoenrollment (renewal) for this new certificate template as my current 1024 domain controller certificate has no explicit GPO configured and they are renewed automatically?

Question 2: Also, once above mentioned steps are executed, will it not renew certificate from 2 different template (original domain controller and new domain controller template with 2048 key) considering existing domain controller certificates are being renewed without having any explicit autoenrollment policy

Thanks in advance for the help




windows-server-security
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

Crypt32 avatar image
0 Votes"
Crypt32 answered

Q1: yes, it is necessary to create an autoenrollment policy when using custom template. However, you may not need to create a custom template. You can utilize "Kerberos Authentication" certificate template which should have proper key length. It already has all proper permissions. And remove "Domain Controller" and "Domain Controller Authentication" templates from CAs.

Q2: see above. Just remove unnecessary templates from CAs.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

》》》Do I have to create an explicit GPO for autoenrollment (renewal) for this new certificate template as my current 1024 domain controller certificate has no explicit GPO configured and they are renewed automatically?

According to my knowledge, I suggest you create an automatic registration strategy

》》》Also, once above mentioned steps are executed, will it not renew certificate from 2 different template (original domain controller and new domain controller template with 2048 key) considering existing domain controller certificates are being renewed without having any explicit autoenrollment policy


As MVP said Just remove unnecessary templates from CA will do

Hope this information can help you
Best wishes
Vicky

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.