BasicConstraints is flagged as critical in standalone enterprise standalone CA
I installed root CA with [BasicConstraints extention], critical = no so nothing is flagged as critical in the root cert. I created a .req file after installing subordinate CA and signed from root CA but the Basic constraints is flagged as critical(yellow
icon).
I am looking a help to remove the critical flag when I install Subordinate CA.
June 22nd, 2011 11:34pm
Actually non-microsoft clients are not working if the flag is set as critical. I modified CAPOLICY.INF so the root Cert is not marked as critical. I am looking a way to remove this flag in the subordinate CA. I created a Microsoft case and still they are
working on it.
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2011 9:53am
Actually non-microsoft clients are not working if the flag is set as critical. I modified CAPOLICY.INF so the root Cert is not marked as critical. I am looking a way to remove this flag in the subordinate CA. I created a Microsoft case and still they are
working on it.
I installed standalone subordinate CA and wanted to see the template in registry. Is HKLM\system\currentcontrolset\services\certsvc\configuration to locate the subordinate CA settings?
June 23rd, 2011 12:09pm
Wow, I have never seen a non-MS client work with this setting previously. What client are you working with?
Brian
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2011 12:47pm
***Comments from my co-worker who manages some non-microsoft SSL clients***
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
The Netscape certutil.exe is what we have to use for a few non-Microsoft products that use Cert7.db or Cert8.db for storing certificate trusts. The only setting that we needed to remove the critical flag was for the CDP. The reason for this is
that some systems are unable to process a CRL or read from a CDP. The netscape certutil would reject importing the root CA public key if it could not process the critical requirements.
*** End comments***
So is there any way to remove the critical flag for basic constraints in subordinate CA?
June 23rd, 2011 2:21pm
Why are you removing basic constraints when the issue was the CDP? These are two separate extensions...
Following best practices, a root CA should *not* have a CDP extension in the certificate.
I would be looking at removing the CDP and AIA extension from the root CA certificate instead.
In the CAPolicy.inf file, do the following (assuming Windows 2003, also works under WIndows 2008/2008 R2, but not required)
[CRLDistributionPoint]
Empty=TRUE
[AuthorityInformationAccess]
Empty=TRUE
Brian
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2011 9:13pm
BTW, I use a MAC and am able to trust my root CA certificate for in both Firefox and Safari....
As you can see here, my certificate has basic constraints set to critical
Brian
June 23rd, 2011 9:19pm
Thanks Brian for your reply. I will rebuild the root CA as you mentioned. If you get an answer for basic constraints flag in subordinate CA then please let me know.
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2011 10:46am
I modified CApolicy.inf and installed root CA. Can I use CApolicy.inf for installing standalone subordinate and Enterprise issuance CA?
June 24th, 2011 4:09pm
You must use capolicy.inf at each CA in the hierarchy (but with different settings).
Best resource is my PKI book
Brian
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2011 10:25pm