I installed root CA with [BasicConstraints extention], critical = no so nothing is flagged as critical in the root cert. I created a .req file after installing subordinate CA and signed from root CA but the Basic constraints is flagged as critical(yellow icon). I am looking a help to remove the critical flag when I install Subordinate CA.

Actually non-microsoft clients are not working if the flag is set as critical. I modified CAPOLICY.INF so the root Cert is not marked as critical. I am looking a way to remove this flag in the subordinate CA. I created a Microsoft case and still they are working on it.

Actually non-microsoft clients are not working if the flag is set as critical. I modified CAPOLICY.INF so the root Cert is not marked as critical. I am looking a way to remove this flag in the subordinate CA. I created a Microsoft case and still they are working on it. I installed standalone subordinate CA and wanted to see the template in registry. Is HKLM\system\currentcontrolset\services\certsvc\configuration to locate the subordinate CA settings?

Wow, I have never seen a non-MS client work with this setting previously. What client are you working with? Brian

***Comments from my co-worker who manages some non-microsoft SSL clients*** http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html The Netscape certutil.exe is what we have to use for a few non-Microsoft products that use Cert7.db or Cert8.db for storing certificate trusts. The only setting that we needed to remove the critical flag was for the CDP. The reason for this is that some systems are unable to process a CRL or read from a CDP. The netscape certutil would reject importing the root CA public key if it could not process the critical requirements. *** End comments*** So is there any way to remove the critical flag for basic constraints in subordinate CA?

Why are you removing basic constraints when the issue was the CDP? These are two separate extensions... Following best practices, a root CA should *not* have a CDP extension in the certificate. I would be looking at removing the CDP and AIA extension from the root CA certificate instead. In the CAPolicy.inf file, do the following (assuming Windows 2003, also works under WIndows 2008/2008 R2, but not required) [CRLDistributionPoint] Empty=TRUE [AuthorityInformationAccess] Empty=TRUE Brian

BTW, I use a MAC and am able to trust my root CA certificate for in both Firefox and Safari.... As you can see here, my certificate has basic constraints set to critical Brian

Thanks Brian for your reply. I will rebuild the root CA as you mentioned. If you get an answer for basic constraints flag in subordinate CA then please let me know.

I modified CApolicy.inf and installed root CA. Can I use CApolicy.inf for installing standalone subordinate and Enterprise issuance CA?

You must use capolicy.inf at each CA in the hierarchy (but with different settings). Best resource is my PKI book Brian