I'm going through the process of creating a Microsoft certificate server on Windows Server 2019 and was wondering what the difference between these cryptographic providers were in the setup wizard?
Is this KSP selection only for what's used for the private key of the CA? And can any certificates issued by the CA after setup use a different KSP?
RSA#Microsoft Software Key Storage Provider
DSA#Microsoft Software Key Storage Provider
ECDSA_P256#Microsoft Software Key Storage Provider
ECDSA_P384#Microsoft Software Key Storage Provider
ECDSA_P521#Microsoft Software Key Storage Provider
Best Answer
Correct. The CSP on the CA is used to generate/store the key pairs used by the CA.
A subscriber will use its own methods to generate/store its key pairs - a native Windows subscriber will use a CSP, whereas a Linux box would probably use OpenSSL or GnuTLS. The method used by the subscriber is not affected by the CA.
Pedantic note: You've listed Key Storage Providers (KSPs) in your question. A KSP is the replacement for Crypto Service Providers (CSPs) that became available from Windows 7 or Server 2008 onwards. As far as your question is concerned, the answer is the same for either.