Is there any guidance to deploying ECDSA based certificates to domain controllers that are part of a Windows 2008 R2 or higher functional level domain?  None of the existing certificate templates default to ECDSA--they are all still RSA based with Windows 2003.  I also had some difficulty setting the CA to sign at SHA-256, as I was using the old Domain Controller Windows 2000 template, so I want to confirm before the changes are attempted.

• Edited by hceuterpe 7 hours 19 minutes ago

If you have a new enough server and client environment, then go for it. The Kerberos Authentication is the newest template in the Domain Controller, Domain Controller Authentication template family line. It is a V2 template, so it will need to be converted to a V3 template so you can choose a KSP and select a ECDSA crypto. Since this enables LDAP/S (which is unused by windows clients/servers natively) it is really a feature for 3rd party applications. So make sure they are compatible with this crypto level.