P
PeteMitch99
Hi, I am hoping that someone with some experience of CAs and ECDSA certs this can help me out by answering some of the questions the end of this post.
I am managing an existing CA company 2-tier infrastructure, with an offline root CA and also an enterprise CA which is a member of my forest root domain. Both servers are running 2012r2. All templates are issued from the enterprise CA and everything’s v2-v3 templates using RSA-256 encryption (default encryption types installed) and 2048 signing key lengths.
I have a request from a Cisco engineer to issue an ECDSA SHA384 certificate from the internal enterprise CA as the system as the Live Data stream now requires this. However the enterprise CA refused this csr request, I assume because the signing key is not long enough and the encryption algorithm is not installed.
I have read the following about Suite B compliant CAs. https://technet.microsoft.com/en-us/library/ff829847(v=ws.10).aspx.
However, I do not need a fully Suite-B compliant CA system, I just need the ability to sign and issue a certificate/certificate template based on the ECDSA standard from the enterprise CA.
Therefore, I have the following questions:
Continue reading...
I am managing an existing CA company 2-tier infrastructure, with an offline root CA and also an enterprise CA which is a member of my forest root domain. Both servers are running 2012r2. All templates are issued from the enterprise CA and everything’s v2-v3 templates using RSA-256 encryption (default encryption types installed) and 2048 signing key lengths.
I have a request from a Cisco engineer to issue an ECDSA SHA384 certificate from the internal enterprise CA as the system as the Live Data stream now requires this. However the enterprise CA refused this csr request, I assume because the signing key is not long enough and the encryption algorithm is not installed.
I have read the following about Suite B compliant CAs. https://technet.microsoft.com/en-us/library/ff829847(v=ws.10).aspx.
However, I do not need a fully Suite-B compliant CA system, I just need the ability to sign and issue a certificate/certificate template based on the ECDSA standard from the enterprise CA.
Therefore, I have the following questions:
- My ideal would be to install the encryption algorithms on the existing CA, create a new template for this specialist system, and get the user to use the new template, would there be any issue with any of the following using this approach?:
- Is using the existing RSA-256 root CA (chain) cert allowed while issuing ESDSA certs from the enterprise CA? Would I need to replace or install the encryption algorithms on the root CA and issue a new root cert from it? – This would involve a lot of work to reinstall all the certificates with a new root ca chain I think?
- Can I install the new encryption algorithms for ECDSA on an already running live production CA, and what is the best way to do this?
- I assume 2012r2 does not install encryption algorithms for the ECDSA-386 standard default – I can only find documentation on 2008r2?
- Is there anything else I should consider before I start?
Continue reading...