Cryptographic Options for CAs
Applies To: Windows Server 2008 R2
Selecting cryptographic options for a certification authority (CA) can have significant security, performance, and compatibility implications for that CA. Although the default cryptographic options may be suitable for most CAs, the ability to implement custom options can be useful to administrators and application developers with a more advanced understanding of cryptography and a need for this flexibility. Cryptographic options can be implemented by using cryptographic service providers (CSPs) or key storage providers.
CSPs are hardware and software components of Windows operating systems that provide generic cryptographic functions. CSPs can be written to provide a variety of encryption and signature algorithms.
Key storage providers can provide strong key protection on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
On the Configure Cryptography page of the CA setup process, you can configure the following options:
- Select a cryptographic service provider. Windows Server 2008 R2 and Windows Server 2008 include a number of CSPs, and additional CSPs or key storage providers can be added. In Windows Server 2008 R2 and Windows Server 2008, the provider list includes the name of the algorithm. All providers with a number sign (#) in the name are Cryptography Next Generation (CNG) providers. CNG providers can support multiple asymmetric algorithms. CSPs can implement only a single algorithm.
For more information, see Cryptography Next Generation (http://go.microsoft.com/fwlink/?LinkID=85480).
Key character length. Each CSP supports different character lengths for cryptographic keys. Configuring a longer key character length can enhance security by making it more difficult for a malicious user to decrypt the key, but it can also slow down the performance of cryptographic operations.
Select the hash algorithm for signing certificates issued by this CA. Hash algorithms are used to sign CA certificates and certificates issued by a CA to ensure that they have not been tampered with. Each CSP can support different hash algorithms.
The list of available hash algorithms can be restricted further if the DiscreteAlgorithm option has been configured in a CAPolicy.inf file installed on the computer before CA setup begins.
- Use strong private key protection features provided by the CSP (this may require administrator interaction every time the private key is accessed by the CA). This option can be used to help prevent unapproved use of the CA and its private key by requiring the administrator to enter a password before every cryptographic operation.