|
Posted by Aumy on October 6, 2008, 10:48 am
Please log in for more thread options
Hi Brian,
thanks so far. I know, if you "edit" a certificate (in comparison to a
request), this would break the signature. This was clear to me.
However, I found a way to edit basicconstraints after I set up the (offline)
root-CA by the following command which I performed on the root-CA prior
"importing" the request into the root-CA:
certreq -policy policyfile.inf old.req new.req
where policyfile.inf contains something like...
[BasicConstraintsExtension]
pathlength = 0
critical = true
With this command, I'm able to "edit" the basicconstraints setting of the
certificates of my (online) issuing-CAs. As far as I know this is the only
way to achieve that the root-CA certificate does not contain any
basicconstraints setting --> if I had done it in capolicy.inf as you
proposed, my root-CA certificate would have the same basicconstraints
setting...
Now I need a way the "edit" the basicconstraints setting of my issuing-CA so
that these settings are added to each endentity certificate. Unfortunately I
didn't place any basicconstrains setting in the capolicy.inf file before I
set up the CA. Do you know any command (certutil...) to add basicconstraints
*after* you set up the CA?
Same with "user notice text" in the Certificate Policies attribute. I'm able
with the same command as above to add user notice text in the issuing-CA
certificate. But for my endentity certificates, I don't know a way to add
such a text due to the fact that there are no request files to modify. The
certificate tempalte editor does not allow to add any user notice text into
the Certificate Policies attribute (Issuance Policies)...
Do you have any ideas? Thanks in advance,
Aumy
> These two options are defined in the capolicy.inf file and must be in
> place *before* you install the CA certificate.
> You cannot inject them into a CA certificate after creation, as this would
> break the signature on teh certificate.
> See the Best Practices white paper available at www.microsoft.com/pki
> Brian
>
>> Hello everybody,
>>
>> I so far unsuccessfully tried to set the basic contraints option in my
>> issuing CA after I set up the CA. Is there a certutil command which is
>> able to set this attribute so each certificate I issue with this CA has
>> this basic contraints attribute?
>>
>> Is there a certutil command with which I can add a user notice text such
>> as "This certificate is for testing purpose only, ..." in the Certificate
>> Policies attribute (or somewhere else in the certificate)?
>>
>> Thanks, Aumy
>>
>
| 
XML Sitemap
