As computing power becomes increasingly available, the need to use stronger cryptographic keys also increases. Often there is a need (for example, because the keys have to be protected by a trusted platform module) to use elliptic curves (ECC) based keys to be used. For their use, it is essential that compatibility with the intended use cases is ensured.
Below is a list of use cases for which I am aware of compatibility.
Use Case | Status |
---|---|
Domain controller | Supported. However, compatibility issues may occur on the client side. Likewise Active Directory Web Services do not support Key Storage Providersso it is not possible to use ECC keys for them either. You can even prevent other certificate types, such as Remote Desktop, from being used with ECC keys. |
Web Server | Supported. |
Network Device Registration Service (NDES), Registration Authority Certificates | Not supported, as only Cryptographic Service Provider (CSP) which do not support ECC keys can be used. The RFC for the SCEP protocol itself excludes the support, but in the Microsoft implementation it is not given. |
Network Device Registration Service (NDES) , Device certificates | Supported. Implemented in PSCertificateEnrollment as of version 1.0.7. |
Remote Desktop Session Host | Supported. However, compatibility issues may occur on the client side. |
Online responder (OCSP) | Supported. However, compatibility issues may occur on the client side. |
Certification Authority Certificates | Supported. However, compatibility issues may occur on the client side. |
Certification Authority Web Enrollment (CAWE), Certificate Enrollment | Not supportedsince only certificate templates of versions 1 and 2 are used, which in turn are only Cryptographic Service Provider (CSP) which do not support ECC keys. |
Trusted Platform Module (TPM) as a key backend. | Supports, in conjunction with Autoenrollment but only from Windows 10 21H2 or Windows 11. |
Microsoft Intune | Not supported. |
VMware Workspace One (AirWatch) | Not supported. |
Windows Defender Application Control (WDAC) | Not supported. It is explicitly pointed out ("ECDSA isn't supported."). |
Related links:
- Basics: Elliptic curves with regard to their use in the public key infrastructure
- Basics of manual and automatic Certificate Enrollment via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM)
- Basics: Cryptographic Service Provider (CSP) and Key Storage Provider (KSP)
- Basics of online responders (Online Certificate Status Protocol, OCSP)
- Network Device Enrollment Service (NDES) Basics
- Requesting certificates with elliptic curve based keys fails when using Microsoft Platform Crypto Provider
- Using custom Registration Authority (RA) certificate templates for the Network Device Enrollment Service (NDES).
- Certificate Enrollment for Windows Systems via the Network Device Enrollment Service (NDES) with Windows PowerShell
External sources
- Use signed policies to protect Windows Defender Application Control against tampering (Microsoft Corporation)
- RFC 8894 - Simple Certificate Enrolment Protocol (Internet Engineering Task Force)
3 thoughts on “Liste der Use Cases der Zertifikate, für welche die Kompatibilität zu auf elliptischen Kurven (ECC) basierenden Schlüsseln bekannt ist”
Comments are closed.