1

I got a request from a custumer to install ADCS using ECDSA while using a specific ECC curve for the keys (bp384r1). This curve is not listed in the ADCS installation process when creating a new key and choosing the CSP (Only the NIST ECDSA_P384 is there).

I am able to create a leaf certificate by specifing the key algorithm and CSP as 'ECDSA_brainpoolP384r1,Microsoft Software Key Storage Provider'. However this is not displayed in the ADCS installation GUI.

I also tried adding these lines to capolicy.inf before installing the CA but with no success...:
[NewRequest]
KeyAlgorithm=ECDSA_brainpoolP384r1
ProviderName="Microsoft Software Key Storage Provider"

Is there a way to limit the KSP key algortihm to a specific list, Or to change the default ECC curves choosen? Or tell ADCS to use the specific Key Algorithm I want?

Would appriciate any help with this - Thanks!

CryptoDan
  • 85
  • 7

1 Answers1

1

Unfortunately, Microsoft ADCS limits its supported keys to common NIST curves and don't allow to use Brainpool curves. If you manage to supply a certificate with non-supported curve, installer won't accept it. And there is no any workaround I could think of and which would work.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • Is this a limitation of MS CSP or of ADCS? If I have a HSM that supports brainpool will ADCS accept it? – CryptoDan Oct 04 '21 at 16:07
  • 1
    It is limitation of ADCS CA, not CSP. This means that it doesn't matter which CSP/KSP you will use, CA just throw an error if sees non-permitted curves. – Crypt32 Oct 04 '21 at 21:08
  • Thanks for your answer! – CryptoDan Oct 05 '21 at 05:55
  • Can you refer me to a relevant article with the permitted list? – CryptoDan Oct 05 '21 at 10:40
  • 1
    There is no official documentation on this. Even unofficial, but algorithms you see in installation wizard is the only supported list of algorithms depending on a selected provider. – Crypt32 Oct 05 '21 at 10:41