Hi
I'm seeing a problem with CA-Xchg renewal and I'm hoping someone can help. This is on w2k3 r2 SP2 CA machine that's attached to an HSM.
The first time the CA issues itself the CA-Xchg certificate, it used all the correct settings (key length=2048, EncryptionCSP=<HSM vendor>, etc). The CA-Xchg certificate & keys are in the HSM so everything is fine.
However, all other CA-xchg certificates since the very first one, now completely ignore the configured registry settings on the CA. These renewed CA-Xchg certificates keep the public/private keys locally on the OS and use a smaller key length (1024). This behavior was not seen in previous testing.
The CRLFlag CRLF_USE_XCHG_CERT_TEMPLATE is not configured. as a precaution the CA exchange template has the same key length And CSP settings as the CA's registry (even though these settings are ignored if using the CA exchange template).
The strangest thing is that the CA is still happily using/accessing it's CA keys in the HSM when signing certificates, publishing CRLs, etc, so it's not an "access to the HSM" problem. That and the very first CA-xchg certificate used the HSM fine.
The CA is being used to issue certs for CLM so the CLM policy and exit modules are installed. I don't think this is doing anything as the policy module is configured to pass all non-CLM cert requests to the windows default policy module.
is there some sort of "hard wired" default setting the this CA is reverting back to (for whatever reason) instead of what is configured in the registry?
Setting the KRAFlag KRAF_DISABLEUSEDEFAULTPROVIDER isn't an option as that flag was added with 2008. it's not available in 2003
any help, ideas, etc, is much appreciated
cheers
Todd