AD CS - Public key does not meet the minimum size required (CERTSRV_E_KEY_LENGTH)

[arp-mbender]

I'm trying to set up acme2certifier for my needs, and I feel like I'm "this" close. I've got acme2certifier in a docker and talking with my AD CS with a user/password. Unfortunately, I wasn't sure what kind of template was required for this, so I created duplicated one for Web Server.

And it seems like acme2certifier does attempt to:

• use the correct user / pass and get valid responses from the AD CS
• use the correct template (i.e. what I created)

Where I fail is in my CA template itself, clearly. Any idea what kind of settings are needed for an ACME template on AD CS?

[grindsa]

Which acme-client are you using? I remember a similar issue from my own testing which was related to the fact that the acme-client did use ecc keys with a very short key-length which got rejected by AD CS template. Switching to RSA-Keys with key-length of 2048 bits may help (check the documentation of your acme-client for instructions)

[arp-mbender]

I was testing with acme.sh. It may be my own failing to understand modern-day ACME clients, however. I was under the impression that keys need to be long, but than again that depends on the key type, no? I.e. a ECDSA key can be shorter than RSA?

[grindsa]

ECDSA provide similar security than RSA with shorter key-length. Thus, it preferred by all modern acme-clients. Check here for furhter information

You can to switch to RSA by adding --keylength 2048 to your acme.sh command. Give it a try and let me know if it works...

[arp-mbender]

I've actually went in and lessened the length restrictions on the template itself, as well as allowed all encryptions. Reason being the template was created only for the local ACME requests and nothing else, thus I'm fine with whatever the client(s) request + the ACME service has some IP restrictions on who can use it.

With those changes in place I was able to generate a certificate.

Thanks for the help!

[grindsa]

Thx. If you dort mind, can you please post some instructions/screenshots how to modify the template? I do not have access to an AD CS and this information can be helpful for others facing the same issue.

[arp-mbender]

Sure! Here's a short instruction manual.

1. Go to Certification Authority and then right-click Certificate Templates -> Manage
   
2. Right click a standard template (i.e. Web Server) and duplicate it
3. Things that need to be changed:
   1. Template name (ex. ACME)
   2. Validity Period and Renewal Period (depending on the use case)
   3. Lower the requirements on the Cryptography page (key size & crypto providers):
      
   4. set who can use the template in the Security tab (Admins would have all permissions and your dedicated ACME user would have read + enroll and possibly also autoenroll, but I'm not 100% sure on the last one)
   5. Any other changes - this one's an open field. Ex: I don't want ACME certificates to get published to AD so I made sure that AD-publish checkbox was off.
4. Save and close the template management and back in the Certification Authority, under the Certificate Templates key, right click and select Certificate Template to Issue
   
5. Pick your new ACME template to make it available for usage

Feel free to use these images / instructions in the docs if you feel like it.

[arp-mbender]

PS. If you want more screenshots or more detailed instructions feel free to ask.