Hi,
We are going to deploy an internal Windows 2012 PKI, and were wondering about the bit length Best Practices?
The question is both around the overall PKI deployment, and a more specific Lync requirement:
Extract from: http://technet.microsoft.com/en-us/library/gg398577.aspx
The minimum size for an OAuth certificate key is 1024 bits. A warning may be displayed if you request a certificate with a key length less than 2048 bits in length. To avoid potential problems in the event that a key length of 2048 is enforced instead of warned, it is strongly recommended to always use a key length of 2048 for OAuth certificates.
so...
- Does the OAuth certificate use the 'Web Server' certificate template?
- Does the Lync certificate wizard also make use of the 'Web Server' certificate template?
- If yes, based on the TechNet recommendation above, all of the 'Web Server' certificate templates should be 2048-bit?
- Or, should we have a different 'Web Server' 2048-bit template for OAuth certificate and another 'Web server' 1024-bit template for the other internal Lync Certificates?
- Is 2048-bit still OK for Subordinate CA? If its 2048-bit, can it issue end certificates that are also 2048-bit?
- Is SHA-1 still OK for Subordinate CA?
- Is 4096-bit still OK for the Root CA?
- Is SHA-1 still OK for Root CA?
Thank you,
SK