The system allows CAPI calls for RSA operations to be "overridden" and processed by the CNG engine. This is generally preferred for security, as CNG is more robust against modern exploits.
In rare scenarios, specific certifications (like older FIPS validations) might be tied to a specific CAPI implementation rather than the CNG equivalent. Security Implications
The system allows a "fallback" to legacy CSP behavior. This restores functionality for legacy apps and smart cards that haven't been updated yet. The Hard Deadline: April 2026 Corriger l'erreur en signature et en mise à jour eIDSign disablecapioverrideforrsa
The DisableCapiOverrideForRSA key allows administrators to manually override this new security enforcement.
The system enforces modern KSP/CNG. This is the secure, intended state that prevents attackers from exploiting legacy SHA1 hash collisions to bypass signatures. The system allows CAPI calls for RSA operations
Disabling the override is generally discouraged unless strictly necessary. By forcing the system back to legacy CAPI, you opt out of the performance improvements and side-channel attack protections built into the CNG architecture. It is a classic trade-off:
Many legacy 32-bit applications and older smart card drivers still rely on the older CryptoAPI (CAPI) and CSP architecture. When these systems encounter the new enforcement, they often fail with errors like "invalid provider type specified" or Event ID 624 in the System log. What the Registry Key Does Security Implications The system allows a "fallback" to
Proprietary or "black-box" legacy software may crash or return errors when it detects a CNG-provided RSA key instead of a native CAPI key.