2.14 Configuring ECC certificates

MyID supports the issuance of certificates based on elliptic curve cryptography (ECC) as well as RSA. You must set up a certificate template on the CA to use the appropriate algorithm.

Note: ECC support is available on a restricted set of compatible devices. If you want to make use of this feature, contact Intercede for further details quoting SUP-237.

Microsoft CA supports Elliptic Curve Digital Signature Algorithm (ECDSA), a signing algorithm that uses ECC, and Elliptic Curve Diffie–Hellman (ECDH), an encryption algorithm that uses ECC.

When configuring the templates for issuance within MyID, you must select an ECC type of the appropriate size from the Key Algorithm drop-down list; for example for an ECDSA_P384 or ECDH_P384 certificate template, select ECC P384 from the Key Algorithm drop‑down list.

Note: ECC is not supported for archived certificates.

See section 3.3, Enable certificate templates for issuance within MyID for details.

Note: ECC certificates may not be available for use on your clients in their default configuration; for example, you may have to enable the Allow ECC certificates to be used for logon and authentication group policy (in Windows Components > Smart cards) before Windows will recognize the certificates.

Note: Currently ECC 521 certificates are not supported by the FIPS 201-3 standard.