Selecting cryptographic options for a certification authority (CA) can have significant security, performance, and compatibility implications for that CA. Although the default cryptographic options may be suitable for most CAs, the ability to implement custom options can be useful to administrators and application developers with a more advanced understanding of cryptography and a need for this flexibility. Cryptographic options can be implemented by using cryptographic service providers (CSPs) or key storage providers.
CSPs are hardware and software components of Windows operating systems that provide generic cryptographic functions. CSPs can be written to provide a variety of encryption and signature algorithms.
Key storage providers can provide strong key protection on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
On the Configure Cryptography page of the CA setup process, you can configure the following options:
- Select a cryptographic service
provider. Windows Server 2008 R2 and Windows
Server 2008 include a number of CSPs, and additional CSPs or
key storage providers can be added. In Windows
Server 2008 R2 and Windows Server 2008, the provider
list includes the name of the algorithm. All providers with a
number sign (#) in the name are Cryptography Next Generation (CNG)
providers. CNG providers can support multiple asymmetric
algorithms. CSPs can implement only a single algorithm.
For more information, see Cryptography Next Generation (http://go.microsoft.com/fwlink/?LinkID=85480).
- Key character length. Each CSP
supports different character lengths for cryptographic keys.
Configuring a longer key character length can enhance security by
making it more difficult for a malicious user to decrypt the key,
but it can also slow down the performance of cryptographic
- Select the hash algorithm for signing
certificates issued by this CA. Hash algorithms are used to
sign CA certificates and certificates issued by a CA to ensure that
they have not been tampered with. Each CSP can support different
The list of available hash algorithms can be restricted further if the DiscreteAlgorithm option has been configured in a CAPolicy.inf file installed on the computer before CA setup begins.
- Use strong private key protection features
provided by the CSP (this may require administrator interaction
every time the private key is accessed by the CA). This option
can be used to help prevent unapproved use of the CA and its
private key by requiring the administrator to enter a password
before every cryptographic operation.