2

The problem all started when Mircosoft updated the security of systems by requiring a minimum key length of 1024. Please refer to Microsoft Security Advisory (2661254). In the past, we were using the "Smartcard logon" template that is built into Server 2008 R2. This created a certificate with a 512 bit public key and used the "sha1RSA" Signature algorithm.

Because it is not possible to change the key size in the template, we duplicated the Smardcard logon template and modified it to use a 2048 - bit key. When we re-issued certificates on our Smart cards, it created certificates using the "RSASSA-PSS" Signature algorithm. These cards work fine in Vista, 7 and 2008 but do not work in WinXP.

Can you please outline, in detail, exactly what steps need to be followed to create a template that can be used to issue cards with at least 1024-bit public keys that would work under XP.

2 Answers2

3

Windows XP doesn't support the RSASSA-PSS algorithm.

The following should solve the issue. In the "Smartcard logon" template, go to the "Compatibility" tab and set the "Certificate recipient" field to "Windows XP / Server 2003". I can't test this but it should work.

0

Unfortunately, I think that there only is a "Compatibility" tab in Server 2012. I am still stuck with 2008.

Does anyone know of a way to change the Signature algorithm created by the Smartcard logon template?

Tony Fiore
  • 1