Hi, In trying to setup a PKI using ADCS on Windows 2008 R2, I am trying to generate a self-signed Root CA certificate with just the "keyCertSign " and cRLSign " bits turned on. However, I've noticed that the installation process always includes "digitalSignature " in the extension along with something called "Offline CRL Signing" (although this does not show itself when viewed through OpenSSL dumps). I've researched TechNet quite a bit and found that the [NewRequest] section with the "KeyUsage " key/value pair allowed control of keyUsage bits in Windows 2003. This does not appear to work in ADCS 2008 when included in the CAPolicy.inf file. How do I eliminate the "digitalSignature " bit, and the "Offline CRL Signing" in the self-signed CA certificate? If they cannot be eliminated, is there an explanation for why they are included in the CA certificate? TIA

All the information you need is in http://support.microsoft.com/kb/888180Brian

Thanks for the response, Brian. I presume that, even though the instructions indicate this is for Windows 2003 R1, it applies to ADCS in Windows 2009 R2? If it does, I am a little perplexed how one creates a CSR for a self-signed Root CA, if the ADCS "Add Role" wizard does not appear to pause anywhere until the certificate is completely generated. If it does pause (due to the change in the Policy Module), what CA does one select for Step (b) in Method 2: Submit the CA using the Certreq command , given that the self-signed Root CA hasn't been setup yet? Thanks.