How to set up a CA with a CNG (ECC) certificate

One of the improvements of the Windows Server 2008 Certification authority is the support for Cryptography Next Generation (CNG) with Elliptic Curve Cryptography (ECC).


I have described the CNG capabilities in my Certificate Server Enhancements in Windows Server codename “Longhorn” whitepaper but after reviewing the paper recently I noticed that it does not exactly explain how to set up a new Windows Server 2008 CA with a CNG certificate.

Also, the reference provided in paragraph “Configuring setup using a CAPolicy.inf file” is outdated and refers to an invalid page. The PKCS #1: RSA Cryptography Standard is now documented at


To set up a CA with a CNG certificate, perform the normal “Active Directory Certificate Services” setup procedure until you reach the Configure Cryptography for CA wizard page. Now you have to decide which Cryptography or Key Provider is used by the CA. All providers that have a #-sign as prefix in their name represent key storage provider and can support CNG algorithms.


Even if you don’t have a requirement for a CNG certificate today, you should select a key storage provider that is supporting CNG. Luckily, the RSA#Microsoft Software Key Storage Provider is the default setting so that you have greater flexibility regarding hash algorithm configuration compared to cryptographic service providers. How to change the hash algorithm for a key storage provider is described in the chapter “Configuring the Cryptographic Algorithms used by the CA” in the Certificate Server Enhancements in Windows Server codename “Longhorn” whitepaper.

Comments (1)

  1. According to the table on page 11 in IPsec is able to verify the validity of CNG certificates. However IPsec is not able to actually use CNG certificates.