Click here to get back home

Win2003 PKI : certreq.exe 'keyusage=0xb8' in policy.inf BUG
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Win2003 PKI : certreq.exe 'keyusage=0xb8' in policy.inf BUG Kris 09-12-2007
Posted by Kris on September 12, 2007, 9:10 am
Please log in for more thread options
I use "certreq.exe" to generate a key-pair and certificate request on a
regular XP machine. I use the following policy.inf file:

-[Version]
Signature= "$Windows NT$"
[NewRequest]
; make private key exportable
Exportable = TRUE
;This key is important when you need to create certificates
;that are owned by the computer and not a user
MachineKeySet = TRUE
Subject = "CN = some subject...."
KeyLength = 2048
KeyUsage = *0xb8*-

I use the *0xb8 *value for keyusage and I expect to get: Digital
Signature, Key Encipherment, Data Encipherment, Key Agreement (b8)

BUT when I have the certificate request signed in my standalone win2003
standard ed. CA, the resulting certificate's keyusage is *0xb0*: Digital
Signature, Key Encipherment, Data Encipherment
So I miss one option.
(also see
http://technet2.microsoft.com/windowsserver/en/library/0e4472ff-fe9b-4fa7-b5b1-9bb6c5a7f76e1033.mspx?mfr=true
)

I tried other values but no problems there, they work as expected. I
only have problems with value 0xb8.... Strange...

Did anyone have/found this problem? Or any other help would be
appreciated.

Kris Jehaes


--
Kris
------------------------------------------------------------------------
Kris's Profile: http://forums.techarena.in/member.php?userid=30895
View this thread: http://forums.techarena.in/showthread.php?t=816809

http://forums.techarena.in


Posted by Kris on September 12, 2007, 9:37 am
Please log in for more thread options
By chance I found the solution myself:

http://blogs.msdn.com/spatdsg/archive/2006/04/27/585450.aspx

SOLUTION:
On the CA:
You remove the flags on the policy module as follows:
certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE

Kris


--
Kris
------------------------------------------------------------------------
Kris's Profile: http://forums.techarena.in/member.php?userid=30895
View this thread: http://forums.techarena.in/showthread.php?t=816809

http://forums.techarena.in


Posted by Paul Adare on September 12, 2007, 4:54 pm
Please log in for more thread options
On Wed, 12 Sep 2007 19:07:51 +0530, Kris wrote:

> By chance I found the solution myself:
>
> http://blogs.msdn.com/spatdsg/archive/2006/04/27/585450.aspx
>
> SOLUTION:
> On the CA:
> You remove the flags on the policy module as follows:
> certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE
>

Same solution I provided in your other thread on this issue.
--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
Supercomputer: Turns CPU-bound problem into I/O-bound problem. -- Ken
Batcher

Posted by Kris on September 13, 2007, 3:22 am
Please log in for more thread options

Yes Paul, that is true.

But this solution didn't solve the problem i have with the certificate
request key usage of the subordinate CA. So still a problem there.

If you have any ideas...?

Is there any good doc on these obscure and special Win2003 parameters
(registry keys, policy file, etc...)


--
Kris
------------------------------------------------------------------------
Kris's Profile: http://forums.techarena.in/member.php?userid=30895
View this thread: http://forums.techarena.in/showthread.php?t=816809

http://forums.techarena.in


Similar ThreadsPosted
Win2003 PKI : certreq.exe using 'special' subject fields October 2, 2007, 10:22 am
certreq with name-format "Lastname, Firstname" November 17, 2006, 7:09 am
win2003 + PKI + AD July 4, 2006, 3:11 pm
UserOverRide key on Win2003 November 10, 2006, 1:00 pm
Problems with NTP on Win2003 February 21, 2007, 11:00 am
Win2003 SP2 secuity problem December 1, 2005, 8:46 am
Win2003 Server - 10,000 Entries ! February 9, 2006, 11:28 pm
Security Config Wiz doesn't run on Win2003 SP2 June 4, 2007, 2:24 am
Win2003 SP1 remotely restart service June 14, 2005, 1:02 pm
Win2003 loses AD user account September 28, 2005, 8:39 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap