List of certificate use cases for which compatibility with elliptic curve (ECC)-based keys is known

As computing power becomes increasingly available, the need to use stronger cryptographic keys also increases. Often there is a need (for example, because the keys have to be protected by a trusted platform module) to use elliptic curves (ECC) based keys to be used. For their use, it is essential that compatibility with the intended use cases is ensured.

Below is a list of use cases for which I am aware of compatibility.

Use CaseStatus
Domain controllerSupported. However, compatibility issues may occur on the client side.
Likewise Active Directory Web Services do not support Key Storage Providersso it is not possible to use ECC keys for them either. You can even prevent other certificate types, such as Remote Desktop, from being used with ECC keys.
Web ServerSupported.
Network Device Registration Service (NDES), Registration Authority CertificatesNot supported, as only Cryptographic Service Provider (CSP) which do not support ECC keys can be used. The RFC for the SCEP protocol itself does not exclude support, but it is not available in the Microsoft implementation due to the underlying technical limitations.
Network Device Registration Service (NDES) , Device certificatesSupported. Implemented in PSCertificateEnrollment as of version 1.0.7.
Remote Desktop Session HostSupported. However, compatibility issues may occur on the client side.
Online responder (OCSP)Supported. However, compatibility issues may occur on the client side.
Certification Authority CertificatesSupported. However, compatibility issues may occur on the client side.
Certification Authority Web Enrollment (CAWE), Certificate EnrollmentNot supportedsince only certificate templates of versions 1 and 2 are used, which in turn are only Cryptographic Service Provider (CSP) which do not support ECC keys.
Trusted Platform Module (TPM) as a key backend.Supports, in conjunction with Autoenrollment but only from Windows 10 21H2 or Windows 11.
Microsoft IntuneNot supported.
VMware Workspace One (AirWatch)Not supported.
Windows Defender Application Control (WDAC)Not supported. It is explicitly pointed out ("ECDSA isn't supported.").

Related links:

External sources

3 thoughts on “Liste der Use Cases der Zertifikate, für welche die Kompatibilität zu auf elliptischen Kurven (ECC) basierenden Schlüsseln bekannt ist”

Comments are closed.

en_USEnglish