How to make key extension critical in ADCS issued CA certificates
I'm trying to replicate a PKI chain of trust (Root CA -> Policy CA -> Issuing CA) with Microsoft Server 2008 R2's integrated CA solution. The solution is from an external source, and I'd like to have the certificates of the respective authorities look like the originals in terms of certificate extensions. I use a CAPolicy.inf file to set the specifics of the CA certificates for the respective CA's. My CAPolicy.inf looks like this: [Version] Signature="$Windows NT$" [Certsrv_Server] RenewalKeyLength=4096 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=20 CRLPeriod=3 CRLPeriodUnits=years CRLOverlapPeriod=1 CRLOverlapUnits=months CRLDeltaPeriod=1 CRLDeltaPeriodUnits=months DiscreteSignatureAlgorithm=1 LoadDefaultTemplates=False [CRLDistributionPoint] Empty=True [AuthorityInformationAccess] Empty=True [Extensions] 1.3.6.1.4.1.311.21.1= 1.3.6.1.4.1.311.20.2= 2.5.29.15=AwIBhg== Critical = 2.5.29.15 The Root CA certificate generated with this CAPolicy.inf has the "Key Usage" (2.5.29.15) attribute marked as critical (as expected by the CAPolicy.inf). After the deployment of the Root CA, I use CertUtil to make sure that the CA's have the following registy entries: C:\Users\Administrator>certutil -getreg policy\ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Queen sland Government Root Certification Authority\PolicyModules\CertificateAuthority _MicrosoftDefault.Policy: Values: RevocationType REG_DWORD = 100 (256) REVEXT_CDPENABLE -- 100 (256) CAPathLength REG_DWORD = ffffffff (-1) RevocationURL REG_SZ = https://%1/CertEnroll/nsrev_%3.asp EnableRequestExtensionList REG_MULTI_SZ = 0: 1.2.840.113549.1.9.15 SMIME Capabilities 1: 1.3.6.1.4.1.311.21.1 CA Version 2: 1.3.6.1.4.1.311.21.2 Previous CA Certificate Hash 3: 2.5.29.15 Key Usage EnableEnrolleeRequestExtensionList REG_MULTI_SZ = 0: 1.3.6.1.4.1.311.10.9.1 Cross-Certificate Distribution Points 1: 1.3.6.1.4.1.311.20.2 Certificate Template Name (Certificate Type) 2: 1.3.6.1.4.1.311.21.7 Certificate Template Information 3: 1.3.6.1.4.1.311.21.10 Application Policies 4: 1.3.6.1.4.1.311.21.11 Application Policy Mappings 5: 1.3.6.1.4.1.311.21.12 Application Policy Constraints 6: 2.5.29.17 Subject Alternative Name 7: 2.5.29.30 Name Constraints 8: 2.5.29.32 Certificate Policies 9: 2.5.29.33 Policy Mappings 10: 2.5.29.36 Policy Constraints 11: 2.5.29.37 Enhanced Key Usage 12: 2.5.29.15 Key Usage DisableExtensionList REG_MULTI_SZ = 0: 1.3.6.1.4.1.311.21.1 CA Version 1: 1.3.6.1.4.1.311.20.2 Certificate Template Name (Certificate Type) SubjectAltName REG_SZ = DISABLED: Set to EMail to set SubjectAltName extension to the email address SubjectAltName2 REG_SZ = DISABLED: Set to EMail to set SubjectAltName 2 extension to the email address RequestDisposition REG_DWORD = 101 (257) REQDISP_ISSUE -- 1 REQDISP_PENDINGFIRST -- 100 (256) EditFlags REG_DWORD = 83ee (33774) EDITF_REQUESTEXTENSIONLIST -- 2 EDITF_DISABLEEXTENSIONLIST -- 4 EDITF_ADDOLDKEYUSAGE -- 8 EDITF_ATTRIBUTEENDDATE -- 20 (32) EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64) EDITF_BASICCONSTRAINTSCA -- 80 (128) EDITF_ENABLEAKIKEYID -- 100 (256) EDITF_ATTRIBUTECA -- 200 (512) EDITF_ATTRIBUTEEKU -- 8000 (32768) DefaultSMIME REG_MULTI_SZ = 0: 1.2.840.113549.3.2,128 rc2 80 (128) 1: 1.2.840.113549.3.4,128 rc4 80 (128) 2: 1.3.14.3.2.7 des 3: 1.2.840.113549.3.7 3des EnableExtensionList REG_MULTI_SZ = 0: 2.5.29.15 Key Usage 1: 2.5.29.32 Certificate Policies CertUtil: -getreg command completed successfully. The policies are set for example with certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.20.2 to disable the "Certificate Template Name" extension or certutil -setreg policy\EnableExtensionList +2.5.29.15 to enable the "Key Usage" extension. However, when I get a certificate request from the Policy CA using the above CAPolicy.inf with "Key Usage" marked as critical in the request, then after submitting the request to the Root CA, the "Key Usage" property is marked down as being non-critical. (In the Certification Authority console right-click the request, select "All Tasks" -> "View Attributes/Extensions...", select the "Extensions" tab and scroll down to "Key Usage"). I then tried as an administrator to manually specify the "Key Usage" as critical again by creating a file keyUsage.txt with the content AwIBhg== and then using certutil as follows certutil.exe -setextension <RequestID> 2.5.29.15 1 @keyUsage.txt replacing <RequestID> with the actual number of the request in the certificate request database. After I set the extension to be critical manually, "Key Usage" shows up with Critical=Yes and Enabled=Yes in the properties of the request, with the Origin set to "Administrator". However, when I issue the certificate, "Key Usage" is set back to non-critical in the issued certificate. I'm a little bit at loss here why that happens and what additional steps need to be taken to get "Key Usage" as a critical extension in the certificate. Thanks in advance for any help. --Georg
May 25th, 2011 4:00am

Hi, Frankly this issue is farily complicated. Many details or logs may be required to perform deep research. ?Therefore, I'm afriad your question falls into the paid support category which requires a more in-depth level of support. Please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone Thanks! Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Peterson Wu Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
May 30th, 2011 5:40am

Hopefully you already found a fix for this, but if not here you go... Mainly I'm posting this so that others may find it better in the future: certutil.exe setreg policy\EditFlags EDITF_ADDOLDKEYUSAGE net stop certsvc & net start certsvc If the request already had the desired values in the request (e.g. you had them in capolicy.inf on the policy/sub tiers) then you can resubmit the request. if it is already pending or if you don't have the values already in the request then you can do what you were trying to do with the setextension command against the pendingRequestID. You may want to re-enable this value (+EDITF_ADDOLDKEYUSAGE) to avoid accidentally allowing this for future issuances, if this is not a concern then you might consider leaving it disabled, particularily if the CA is offline. For troubleshooting purposes, this is what I'm looking at to know that it was enabled: EditFlags REG_DWORD = 83ee (33774) 33774 indicates that all of the values listed underneath were enabled, including this line: EDITF_ADDOLDKEYUSAGE -- 8
March 10th, 2012 1:43pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics