How to make key extension critical in ADCS issued CA certificates
I'm trying to replicate a PKI chain of trust (Root CA -> Policy CA -> Issuing CA) with Microsoft Server 2008 R2's integrated CA solution. The solution is from an external source, and I'd like to have the certificates of the respective authorities look
like the originals in terms of certificate extensions. I use a CAPolicy.inf file to set the specifics of the CA certificates for the respective CA's. My CAPolicy.inf looks like this:
[Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=3
CRLPeriodUnits=years
CRLOverlapPeriod=1
CRLOverlapUnits=months
CRLDeltaPeriod=1
CRLDeltaPeriodUnits=months
DiscreteSignatureAlgorithm=1
LoadDefaultTemplates=False
[CRLDistributionPoint]
Empty=True
[AuthorityInformationAccess]
Empty=True
[Extensions]
1.3.6.1.4.1.311.21.1=
1.3.6.1.4.1.311.20.2=
2.5.29.15=AwIBhg==
Critical = 2.5.29.15
The Root CA certificate generated with this CAPolicy.inf has the "Key Usage" (2.5.29.15) attribute marked as critical (as expected by the CAPolicy.inf). After the deployment of the Root CA, I use CertUtil to make sure that the CA's have the following registy
entries:
C:\Users\Administrator>certutil -getreg policy\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Queen
sland Government Root Certification Authority\PolicyModules\CertificateAuthority
_MicrosoftDefault.Policy:
Values:
RevocationType REG_DWORD = 100 (256)
REVEXT_CDPENABLE -- 100 (256)
CAPathLength REG_DWORD = ffffffff (-1)
RevocationURL REG_SZ = https://%1/CertEnroll/nsrev_%3.asp
EnableRequestExtensionList REG_MULTI_SZ =
0: 1.2.840.113549.1.9.15 SMIME Capabilities
1: 1.3.6.1.4.1.311.21.1 CA Version
2: 1.3.6.1.4.1.311.21.2 Previous CA Certificate Hash
3: 2.5.29.15 Key Usage
EnableEnrolleeRequestExtensionList REG_MULTI_SZ =
0: 1.3.6.1.4.1.311.10.9.1 Cross-Certificate Distribution Points
1: 1.3.6.1.4.1.311.20.2 Certificate Template Name (Certificate Type)
2: 1.3.6.1.4.1.311.21.7 Certificate Template Information
3: 1.3.6.1.4.1.311.21.10 Application Policies
4: 1.3.6.1.4.1.311.21.11 Application Policy Mappings
5: 1.3.6.1.4.1.311.21.12 Application Policy Constraints
6: 2.5.29.17 Subject Alternative Name
7: 2.5.29.30 Name Constraints
8: 2.5.29.32 Certificate Policies
9: 2.5.29.33 Policy Mappings
10: 2.5.29.36 Policy Constraints
11: 2.5.29.37 Enhanced Key Usage
12: 2.5.29.15 Key Usage
DisableExtensionList REG_MULTI_SZ =
0: 1.3.6.1.4.1.311.21.1 CA Version
1: 1.3.6.1.4.1.311.20.2 Certificate Template Name (Certificate Type)
SubjectAltName REG_SZ = DISABLED: Set to EMail to set SubjectAltName
extension to the email address
SubjectAltName2 REG_SZ = DISABLED: Set to EMail to set SubjectAltName
2 extension to the email address
RequestDisposition REG_DWORD = 101 (257)
REQDISP_ISSUE -- 1
REQDISP_PENDINGFIRST -- 100 (256)
EditFlags REG_DWORD = 83ee (33774)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ADDOLDKEYUSAGE -- 8
EDITF_ATTRIBUTEENDDATE -- 20 (32)
EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
EDITF_BASICCONSTRAINTSCA -- 80 (128)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ATTRIBUTECA -- 200 (512)
EDITF_ATTRIBUTEEKU -- 8000 (32768)
DefaultSMIME REG_MULTI_SZ =
0: 1.2.840.113549.3.2,128 rc2 80 (128)
1: 1.2.840.113549.3.4,128 rc4 80 (128)
2: 1.3.14.3.2.7 des
3: 1.2.840.113549.3.7 3des
EnableExtensionList REG_MULTI_SZ =
0: 2.5.29.15 Key Usage
1: 2.5.29.32 Certificate Policies
CertUtil: -getreg command completed successfully.
The policies are set for example with
certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.20.2
to disable the "Certificate Template Name" extension or
certutil -setreg policy\EnableExtensionList +2.5.29.15
to enable the "Key Usage" extension.
However, when I get a certificate request from the Policy CA using the above CAPolicy.inf with "Key Usage" marked as critical in the request, then after submitting the request to the Root CA, the "Key Usage" property is marked down as being non-critical.
(In the Certification Authority console right-click the request, select "All Tasks" -> "View Attributes/Extensions...", select the "Extensions" tab and scroll down to "Key Usage"). I then tried as an administrator to manually specify the "Key Usage" as
critical again by creating a file keyUsage.txt with the content
AwIBhg==
and then using certutil as follows
certutil.exe -setextension <RequestID> 2.5.29.15 1 @keyUsage.txt
replacing <RequestID> with the actual number of the request in the certificate request database.
After I set the extension to be critical manually, "Key Usage" shows up with Critical=Yes and Enabled=Yes in the properties of the request, with the Origin set to "Administrator". However, when I issue the certificate, "Key Usage" is set back to non-critical
in the issued certificate.
I'm a little bit at loss here why that happens and what additional steps need to be taken to get "Key Usage" as a critical extension in the certificate.
Thanks in advance for any help.
--Georg
May 25th, 2011 4:00am
Hi,
Frankly this issue is farily complicated. Many details or logs may be required to perform deep research. ?Therefore, I'm afriad your question falls into the paid support category which requires a more in-depth level of support. Please visit the below
link to see the various paid support options that are available to better meet your needs.
http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
Thanks!
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Peterson Wu Microsoft
Online Community Support
Free Windows Admin Tool Kit Click here and download it now
May 30th, 2011 5:40am