Dec 30 2023 09:37 PM - edited Feb 02 2024 08:49 AM
There is an issue with the name of the elliptic curves provider ECDSA_P521 Smartcard + MS Key Storage Provider.
This could be an very unfortunate typo, as renaming the crypoprovider might break things when already in use, hoping though that these strong providers are not widely in use as certain application do not support ECDSA, or not in this high security value.
I believe this issue reaches back from vNext to WS 2019. Hope this one can be fixed, still.
Tested in latest WS 2022 and vNext.
Repro Steps:
Install Windows Server 2019 / 2022 / vNext with GUI option (for simplicity, also affects Server Manager remotely)
Install AD CS role, Certification Authority
run the post deployment wizard
at the point where to choose the root ca certificate open the cryptographic options dropdown
expected behaviour:
The correct name should be ECDSA_P512#xxxxx
*512 for the bit strenght
Feb 01 2024 02:04 AM
SolutionHi @Karl-WE, I think there might be a misunderstanding about what "P521" represents in that key storage provider. P521 (along with P256 and P384) are elliptic curves that have been defined by the U.S. National Institute of Standards and Technology (NIST) in FIPS 186-4, section D.1.2.5, as well as in SP 800-186, section 3.2.1.5. "P521" is actually the correct name to represent this elliptic curve in that key storage provider.
Feb 02 2024 08:49 AM
Feb 01 2024 02:04 AM
SolutionHi @Karl-WE, I think there might be a misunderstanding about what "P521" represents in that key storage provider. P521 (along with P256 and P384) are elliptic curves that have been defined by the U.S. National Institute of Standards and Technology (NIST) in FIPS 186-4, section D.1.2.5, as well as in SP 800-186, section 3.2.1.5. "P521" is actually the correct name to represent this elliptic curve in that key storage provider.