Best Practice for Configuring Certificate Template Cryptography

Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers (KSPs) in addition to Cryptographic Service Providers (CSPs) was added. These options are available when you create a Certificate Template and configure the settings in the Cryptography tab. Depending on the template duplicated, you may see that the default option is Request can use any provider available on the subject’s computer. However, the best practice is to select Requests must use one of the following providers. Then, ensure you configure only the providers that you want to be used. Another best practice is to use a key size of 1024 bits or higher.

More about this topic is on the TechNet Wiki

Comments (4)
  1. paul says:

    What is the effect for XP/2003 machines or users on those machines that are using Auto-Enrollment when a template is configured for Microsoft Software Key Storage Provider?

  2. ryan says:


    KSPs aren't installed on Windows XP or 2003 (they are part of CNG, which is only available to Vista/2008+)

    As such, I expect the effect would be that auto-enrolment would not be possible (as the computer does not have the provider required to generate keys).

    Somebody who has tested this wish to confirm?



  4. Ernie says:

    when I look at the above settings on my 2012 R2 CA, under Algorithm name is states ‘Determined by the CPS’ and I cannot select any other option. I assume this is because we are using an HSM device?


Comments are closed.

Skip to main content