As computing power becomes increasingly available, the need to use stronger cryptographic keys also increases. Often there is a need (for example, because the keys have to be protected by a trusted platform module) to use elliptic curves (ECC) based keys to be used. For their use, it is essential that compatibility with the intended use cases is ensured.
Below is a list of use cases for which I am aware of compatibility.
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
| Use Case | Status |
|---|---|
| Domain controller | Supported. However, compatibility issues may occur on the client side. Likewise Active Directory Web Services do not support Key Storage Providersso it is not possible to use ECC keys for them either. You can even prevent other certificate types, such as Remote Desktop, from being used with ECC keys. |
| Web Server | Supported. |
| Network Device Registration Service (NDES), Registration Authority Certificates | Not supported, as only Cryptographic Service Provider (CSP) which do not support ECC keys can be used. The RFC for the SCEP protocol itself does not exclude support, but it is not available in the Microsoft implementation due to the underlying technical limitations. |
| Network Device Registration Service (NDES) , Device certificates | Supported. Implemented in PSCertificateEnrollment as of version 1.0.7. |
| Remote Desktop Session Host | Supported. However, compatibility issues may occur on the client side. |
| Online responder (OCSP) | Supported. However, compatibility issues may occur on the client side. |
| Certification Authority Certificates | Supported. However, compatibility issues may occur on the client side. |
| Certification Authority Web Enrollment (CAWE), Certificate Enrollment | Not supportedsince only certificate templates of versions 1 and 2 are used, which in turn are only Cryptographic Service Provider (CSP) which do not support ECC keys. |
| Trusted Platform Module (TPM) as a key backend. | Supports, in conjunction with Autoenrollment but only from Windows 10 21H2 or Windows 11. |
| Microsoft Intune | Not supported. |
| VMware Workspace One (AirWatch) | Not supported. |
| Windows Defender Application Control (WDAC) | Not supported. It is explicitly pointed out ("ECDSA isn't supported."). |
Related links:
- Basics: Elliptic curves with regard to their use in the public key infrastructure
- Basics of manual and automatic Certificate Enrollment via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM)
- Basics: Cryptographic Service Provider (CSP) and Key Storage Provider (KSP)
- Basics of online responders (Online Certificate Status Protocol, OCSP)
- Network Device Enrollment Service (NDES) Basics
- Requesting certificates with elliptic curve based keys fails when using Microsoft Platform Crypto Provider
- Using custom Registration Authority (RA) certificate templates for the Network Device Enrollment Service (NDES).
- Certificate Enrollment for Windows Systems via the Network Device Enrollment Service (NDES) with Windows PowerShell
External sources
- Use signed policies to protect Windows Defender Application Control against tampering (Microsoft Corporation)
- RFC 8894 - Simple Certificate Enrolment Protocol (Internet Engineering Task Force)
English 
Deutsch
3 thoughts on “Liste der Use Cases der Zertifikate, für welche die Kompatibilität zu auf elliptischen Kurven (ECC) basierenden Schlüsseln bekannt ist”
Comments are closed.