Click here to get back home

Win2003 PKI : Subordinate CA certificate parameter
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Win2003 PKI : Subordinate CA certificate parameter Kris 09-11-2007
Posted by Kris on September 11, 2007, 8:33 am
Please log in for more thread options
I have installed two Win2003 Standard edition servers. I use one as a
standalone root CA. The second is a standalone (no enterprise)
subordinate CA.

In the root CA I can succesfully change the CApolicy.inf file to make
the Root CA certificate keyusage field 'critical' and have the
following value: 'Certificate Signing, Off-line CRL Signing, CRL
Signing (06)'

I want to achieve the same for the Subordinate CA, but the same
parameters I used for the Root don't work in the Sub. CApolicy.inf
file. Or in any other policy.inf file for that matter.

ex.
[Extensions]
;The Extensions section marks the KeyUsage as critical
2.5.29.15=AwIBBg==
Critical=2.5.29.15

Can anyone help?
Thanks

Kris


--
Kris
------------------------------------------------------------------------
Kris's Profile: http://forums.techarena.in/member.php?userid=30895
View this thread: http://forums.techarena.in/showthread.php?t=816171

http://forums.techarena.in


Posted by Paul Adare on September 12, 2007, 6:41 am
Please log in for more thread options
 On Tue, 11 Sep 2007 18:03:46 +0530, Kris wrote:

> I have installed two Win2003 Standard edition servers. I use one as a
> standalone root CA. The second is a standalone (no enterprise)
> subordinate CA.
>
> In the root CA I can succesfully change the CApolicy.inf file to make
> the Root CA certificate keyusage field 'critical' and have the
> following value: 'Certificate Signing, Off-line CRL Signing, CRL
> Signing (06)'
>
> I want to achieve the same for the Subordinate CA, but the same
> parameters I used for the Root don't work in the Sub. CApolicy.inf
> file. Or in any other policy.inf file for that matter.
>
> ex.
> [Extensions]
> ;The Extensions section marks the KeyUsage as critical
> 2.5.29.15=AwIBBg==
> Critical=2.5.29.15
>
> Can anyone help?

Before you issue the subordinate CA certificate you need to run the
following command on the root CA:

certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE


--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
Your fault -- core dumped.

Posted by Kris on September 12, 2007, 11:46 am
Please log in for more thread options

I have tried what you proposed. But I believe the problem is still
located in the generated certificate request during install of the
subordinate CA. if i dump the request i find:

-certificate extensions: 3
2.5.29.19: flags = 1(critical), length = 5
basic constraints
subject type=ca
path length constraint=none

2.5.29.14: flags = 0, length = 16
subject key identifier
64 5f b6 fe 83 df ac e8 30 6d fb 68 5e 24 34 2d 46 ab e8 19

2.5.29.15: flags = 0, length = 4
key usage
digital signature, certificate signing, off-line crl signing,
crl signing (86)-

I want to generate a key usage of 0x06. As CApolicy.inf i used:

-[basicconstraintsextension]
pathlength=0
critical=true
[extensions]
;the extensions section marks the keyusage as critical
; and ensure key usage 0x06: certificate signing, off-line crl signing,
crl signing (06)
;
2.5.29.15=awibbg==
critical=2.5.29.15 -

But both pathlength and keyusage is not as i want it.


--
Kris
------------------------------------------------------------------------
Kris's Profile: http://forums.techarena.in/member.php?userid=30895
View this thread: http://forums.techarena.in/showthread.php?t=816171

http://forums.techarena.in


Similar ThreadsPosted
Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ? March 26, 2008, 6:20 am
Urgent - Subordinate CA certificate expired April 2, 2007, 12:04 pm
Security configuration wizard: Parameter incorrect error September 26, 2007, 7:11 am
Demote Root CA to subordinate - lose existing certs? February 26, 2008, 11:28 pm
Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc January 30, 2006, 1:50 am
Re: Subordinate CA server renewal with an online CA root server July 17, 2008, 8:48 am
win2003 + PKI + AD July 4, 2006, 3:11 pm
UserOverRide key on Win2003 November 10, 2006, 1:00 pm
Problems with NTP on Win2003 February 21, 2007, 11:00 am
Win2003 SP2 secuity problem December 1, 2005, 8:46 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap