I want to setup Microsoft Active Directory Certificate Services to use "Microsoft Enhanced RSA and AES Cryptographic Provider". Target: Windows 2016 server Data Center edition x64 running on VirtualBox. (Tested also on Win 2008 server x64)
"certutil -csplist" command displays this CSP as available CSP. Here is the Registry screenshot of the Cryptography Provider List: Registry - Cryptography Provider List
In AD CS Configuration wizard:
At Role Sevices step I have selected "Certification Authority". At the "Cryptography for CA" step the "Microsoft Enhanced RSA and AES Cryptographic Provider" is missing in the "Select a cryptographic provider" combobox. This CSP supports sha-256 algorithm. Please note: I don't want to use CNG providers. Screenshots about the CSP provider list:
Background info:
I'm developing a custom CSP (Cryptographic service provider) (not CNG). My CSP supports sha-256 so I need to set CSP Provider Type as "Type 024" (PROV_RSA_AES). But it is seems that "AD CS configuration" skips providers that have 024 as type. If I specify "Type 001" (PROV_RSA_FULL) for my custom CSP, then "AD CS configuration" displays my CSP in the provider list, but shows only sha1 in the hash algorithms and my sha-256 algorithm is missing. It is seems that AD CS configuration only supports sha-256 for CNG providers and skips legacy providers sha-256 implementation.
How to fix this issue? How to use "Type 024" (PROV_RSA_AES) provider type in "AD CS configuration"?
Thanks.
