Is it required or best practice to have all certificates in the chain the same keylength?

I don't know. The maximum keylength must be the same as it is supported by the applications. However certain applications may support shorter keys for end (leaf) certificate and longer for other certificates in the chain. In that case it is possible to setup long (4096) for issuer and 2048 for leaf certificates. This fully depends on applications that will utilize your PKI. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

From a pure security perspective, I would think it would make sense to have the largest keylength near the top of the chain, and then try and maintain the highest key length value possible (but not higher than the parent key length) as you move down the chain to the certificates themselves. However, as Vadims says, compatibility is probably the biggest consideration here... Cheers JJ Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk