We have a two-tier pki hierarchy configured (offline root, subordinate CA) running on Microsoft Server 2012 R2. We're in the process of configuring LDAPs in our environment (and it's configured and working in our test environment). The problem is we require AES256 to be used and I am trying to figure out how to force it on the connection when another server makes an LDAP query. Connecting with ldp.exe (and enabling the LDAP_OPT_SSL_INFO option), it's showing a cipher strength of 128-bits.
I'm guessing that on the CA side the cryptographic storage provider (CSP) that is selected determines which encryption options are available. Based on what the client has available; the client/server negotiate the highest level of encryption they can both agree on.
The certificate template that I used (which is based off of the Kerberos Authentication template) has "Microsft RSA SChannel Cryptographic Provider" selected only. After doing some searching I am unable to determine if this would allow AES256.
So here are my questions:
1. Assuming my thinking (above) is correct on how CSPs work with Microsoft Certificate Services, which CSP should be used to allow AES256 - and if multiple support AES256 - which one is recommended? If not please clarify how this works.
2. is there a way to order the encryption and hashing algorithms in order of preference within the CSP (via the registry or something?).