Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.
The following is an overview of which options become available in each case when the compatibility settings for the certificate authority and/or the certificate recipients are changed.
Compatibility settings for the certification authority
From Windows Server 2003 to Windows Server 2008
- Cryptography / Use alternate signature format (only if client compatibility is set accordingly, at least Windows Vista)
- Cryptography / Key Storage Provider (only if client compatibility is set accordingly, at least Windows Vista)
From Windows Server 2008 to Windows Server 2008 R2
- Server / Do not store certificates and requests in the CA database
- Server / Do not include revocation information in issued certificates
- Extensions / Basic Constraints (only if client compatibility is set accordingly, at least Windows 7)
From Windows Server 2008 R2 to Windows Server 2012
- Request Handling / Renew with the same key (only if client compatibility is set accordingly, at least Windows 8)
- Issuance Requirements / Allow key based renewal (only if client compatibility is set accordingly, at least Windows 8)
- Extensions / Enable requestor specified issuance policies (only if client compatibility is set accordingly, at least Windows 8)
From Windows Server 2012 to Windows Server 2012 R2
- Key Attestation / Required, if client is capable (only if client compatibility is set accordingly, at least Windows 8.1)
- Key Attestation / Required (only if client compatibility is set accordingly, at least Windows 8.1)
- Key Attestation / User credentials (only if client compatibility is set accordingly, at least Windows 8.1)
- Key Attestation / Hardware certificate (only if client compatibility is set accordingly, at least Windows 8.1)
- Key Attestation / Hardware key (only if client compatibility is set accordingly, at least Windows 8.1)
- Key Attestation / Perform attestation only (do not include issuance policies) (only if client compatibility is set accordingly, at least Windows 8.1)
From Windows Server 2012 R2 to Windows Server 2016
- No change
Compatibility settings for the certificate recipients
From Windows XP to Windows Vista
- Request Handling / For automatic renewal of smart card certificates, use the existing key if a new key cannot be created
- Cryptography / Use alternate signature format (only if server compatibility is set accordingly, at least Windows Server 2008)
- Cryptography / Key Storage Provider (only if server compatibility is set accordingly, at least Windows Server 2008)
From Windows Vista to Windows 7
- Extensions / Basic Constraints (only if server compatibility is set accordingly, at least Windows Server 2008 R2)
From Windows 7 to Windows 8
- Subject Name / Use subject information from existing certificates for autoenrollment renewal request
- Request Handling / Renew with the same key (only if server compatibility is set accordingly, at least Windows Server 2012)
- Issuance Requirements / Allow key based renewal (only if server compatibility is set accordingly, at least Windows Server 2012)
- Extensions / Enable requestor specified issuance policies (only if server compatibility is set accordingly, at least Windows Server 2012)
From Windows 8 to Windows 8.1
- Key Attestation / Required, if client is capable (only if server compatibility is set accordingly, at least Windows Server 2012 R2)
- Key Attestation / Required (only if server compatibility is set accordingly, at least Windows Server 2012 R2)
- Key Attestation / User credentials (only if server compatibility is set accordingly, at least Windows Server 2012 R2)
- Key Attestation / Hardware certificate (only if server compatibility is set accordingly, at least Windows Server 2012 R2)
- Key Attestation / Hardware key (only if server compatibility is set accordingly, at least Windows Server 2012 R2)
- Key Attestation / Perform attestation only (do not include issuance policies) (only with correspondingly set server compatibility, at least Windows Server 2012 R2)
From Windows 8.1 to Windows 10
- No change
2 thoughts on “Übersicht über die Verfügbarkeit von Optionen bei Veränderung der Kompatibilitätseinstellungen einer Zertifikatvorlage”
Comments are closed.