I'm completly confused about the correlation between the CSP, CNG and hash algorithms. As well as how the use of a specific CSP, CNG or hash alogirthm on CA effects XP/2003 (with or without KB968730)? If my questions below are completely off the mark because of my confusion, please forgive me. Does DiscreteSignatureAlgorithm=1 equal CNG? Which CSP's support CNG? If I use DiscreteSignatureAlgorithm=1 in my capolicy.inf for either my offline root or online enterprise issuing CA, does that affect my XP/2003 clients abilities to request certificates? How? Does it affect my XP/2003 clients ability to chain the CA's certificates? As per KB968730 the limitation is the hash algorithm. Can a CA that has DiscreteSignatureAlgorithm=1 be defined to use a hash algorithm that is support by XP/2003 without KB968730? How? Can it be changed? How? Can XPSP3/Server2003 clients with KB968730 consume/get a certificate from a CA with an SHA256 signature? If I understand it correctly, Server 2008/R2 support SHA256 and therefore would not have any issue receiving a certificate from a CA with the SHA256 hash algorithm? Is it fair to conclude that even if my XP/2003 clients (without KB968730) don't need to consume a certificate from a CA with a sha256 hash algorithms they wouldn't even be able to validate a certifcate issued by that CA because the CA's CRL is also signed with the sha256 algorithm? Planning on implementing a 2-tier hierarchy for my organization (offline Root, online Enterprise Issuing). My organization has a large mix of XP/2003/2008/2008R2. What the recommended CSP, CNG and hash algorithm settings to ensure interoperability amount all OS's?