3.1.2.4.2.2.1.6 Certificate.Template.pKIDefaultCSPs

The client SHOULD use the Certificate.Template.pKIDefaultCSPs datum to determine the algorithm and the key size to be used to generate the private key as follows. For more details about the definition of the intNum and strCSP strings used in the processing rules below, see [MS-CRTD] section 2.8.

  1. Sort the list by using the intNum value in an ascending order.

  2. For each item in the list:

    • Map the strCSP string to an algorithm name and key size using the table below:

      strCSP

      Algorithm, key size when Certificate.Template.pkiDefaultKeySpec Value = 0x1 (AT_KEYEXCHANGE)

      Algorithm, key size when Certificate.Template.pkiDefaultKeySpec Value = 0x2 (AT_SIGNATURE)

      "Microsoft Base Cryptographic Provider"

      RSA, 512 [RFC8017]

      RSA, 512 [RFC8017]

      "Microsoft Strong Cryptographic Provider"

      RSA, 1024 [RFC8017]

      RSA, 1024 [RFC8017]

      "Microsoft Enhanced Cryptographic Provider"

      RSA, 1024 [RFC8017]

      RSA, 1024 [RFC8017]

      "Microsoft AES Cryptographic Provider"

      RSA, 1024 [RFC8017]

      RSA, 1024 [RFC8017]

      "Microsoft DSS Cryptographic Provider"

      Not available

      DSA, 1024 [FIPS186]

      "Microsoft Base DSS and Diffie-Hellman Cryptographic Provider"

      Diffie-Hellman, 512 [RFC2631]

      DSA, 1024 [FIPS186]

      "Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider"

      Diffie-Hellman, 1024 [RFC2631]

      DSA, 1024 [FIPS186]

      "Microsoft DSS and Diffie-Hellman/Schannel Cryptographic Provider"

      Diffie-Hellman, 512 [RFC2631]

      "Not available"

      "Microsoft RSA/Schannel Cryptographic Provider"

      RSA, 1024, [RFC8017]

      "Not available"

    • If the value of the strCSP is not on the list or the value in the table equals "Not available", continue with the next item in the list.

    • If the value of the strCSP is on the list, use the mapped algorithm when creating a private key.

  3. If no algorithm was selected in step 2, use RSA algorithm and generate a 1024-bit key.