JSI Tip 5573. Microsoft Enhanced CSP Is NOT supported for Certificate Services installations?

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q254150 contains:

With the advanced installation of Certificate Services, an administrator can choose which cryptographic service provider (CSP) the Certification Authority (CA) uses for cryptographic operations. Although the Microsoft Enhanced CSP appears to be an available option, the Microsoft Enhanced CSP is not supported for use on the key pair for the CA.


There is no advantage or cryptographic strength increase in using the Microsoft Enhanced CSP to generate the CA's key pair. A CA performs only signing operations, which have the same limits in the Microsoft Base CSP and the Microsoft Enhanced CSP.

The primary difference between the Microsoft Base CSP and the Microsoft Enhanced CSP is the supported key size for data encryption operations. The Base CSP supports a maximum encryption key length of 1,024 bits, and the Enhanced CSP supports a maximum encryption key length of 16,384 bits.

A CA performs signing operations on issued certificates, Certificate Revocation Lists (CRLs), and the Certificate Services database. A Certification Authority (CA) does not perform any encryption operations. There is no benefit in using the Microsoft Enhanced CSP provider with Certificate Services. The maximum key length for digital signature operations for both CSPs is 16,384 bits.

There is no relationship between the signing technology that is used by the CA and the encryption capabilities of a client. A client can choose to use any supported key length for data encryption regardless of the length of the Certification Authority's key.

If Certificate Services has already been installed with the Microsoft Enhanced CSP, you can back up the CA certificate and private key and reinstall the CA. After the CA is reinstalled, select the Microsoft Base Cryptographic Service Provider, and then choose to use an existing keyset.

For information about how to back up, remove, and reinstall the Certification Authority, see:
Q313272 HOW TO: Back Up and Restore a Certificate Authority in Windows
Q231881 How to Install/Uninstall a Public Key Certificate Authority
For additional information about how to back up and restore a Microsoft Certificate Authority, click the article number below to view the article in the Microsoft Knowledge Base:

Q298138 HOW TO: Move a Certification Authority to Another Server

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.