Increase maximum certificate key length for client certs
The current (1710) maximum key length for client authentication certificates is 2048 bits. Many security-conscious organizations standing up a new PKI in 2017-2018 would prefer a longer key length for all certificates. This requires that the organization lower their standards to utilize computer certificates for computer authentication.
I think you can best use CNG v3 certificates.
Brad Palmer commented
I see that the doc still states 2048 as maximum key length, but the ConfigMgr environment I built and support "CB 2103" clients are using a 4096 key length cert and in general we do not seem to be having issues with client/server communication with only "HTTPS" set for MP and DPs. If something is not working properly it has not been obvious and is not hindering operational use that I have noticed. I have seen a few issues while running OS build TS’s, so I was confirming that the DP cert template was correct which are also a 4096 key length cert. I stumbled across the 2048 requirement and this user voice while confirming cert requirements. This is a new AD Domain 2016 forest level and the ConfigMgr site was created after client cert templates were made to the specs we wanted with a higher security posture 4096 over 2048. If any ConfigMgr super pros can tell me what is not working with 4096 key length certs that would be great. I may only change the DP cert template to 2048 but since the clients are working currently with 4096, we are leaving that template alone.
Blake Batten commented
I would rather just move to ECC certs but they don't work. see https://social.technet.microsoft.com/Forums/en-US/cc9ec0ff-5998-4225-9ce1-2c7b5fe5677d/sccm-and-ecc-certificates-not-supported?forum=ConfigMgrDeployment