How to suppress certificate extension 1.3.6.1.4.1.311.2.1.14
I have an Offline Intermediate CA which is to be signed by a Root CA of non-windows. I ve written capolicy.inf file in windows 2008 like this
[Version]
Signature="$Windows NT$"
[RequestAttributes]
Attribute1=1.2.840.113549.1.9.14
[PolicyStatemetExtension]
Policies = Certificate Policy
Critical=True
[OIDPolicy]
OID=1.3.4.5.6 ;OID changed
[BasicConstraintsExtension]
PathLength=1
SubjectType=CA
Critical=True
[Extensions]
1.3.6.1.4.1.311.13.2.3=
1.3.6.1.4.1.311.21.1=
1.3.6.1.4.1.311.21.7=
2.5.29.15=AwIBBg==
Critical=2.5.29.15
------------------------------------
But in my request file I am getting two attributes as shown
Request Attributes: 2
2 attributes:
Attribute[0]: 1.3.6.1.4.1.311.2.1.14 (Certificate Extensions)
Value[0][0]:
Unknown Attribute type
Certificate Extensions: 3
2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
0a cf c2 3b d7 3f 42 06 1a 01 49 34 4a a6 9f 49 f5 c2 15 f1
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Certificate Signing, Off-line CRL Signing, CRL Signing (06)
Attribute[1]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[1][0]:
Unknown Attribute type
Certificate Extensions: 4
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Certificate Signing, Off-line CRL Signing, CRL Signing (06)
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
0a cf c2 3b d7 3f 42 06 1a 01 49 34 4a a6 9f 49 f5 c2 15 f1
2.5.29.32: Flags = 1(Critical), Length = b
Certificate Policies
[1]Certificate Policy:
Policy Identifier=1.3.4.6
2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None
1.How to suppress the extra attribute on the top.?
2. How to make path length =1
Plz help me?????????
July 25th, 2011 10:34am
1) I gues that you need to remove this section:
[RequestAttributes]
Attribute1=1.2.840.113549.1.9.14My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2011 11:57am
Thanks Vadmis for ur reply,
But I ve tried that but it is not working. Even after removal of the lines the output is same.With Regards, S Prathaban
July 25th, 2011 12:27pm
It seems that this extra attribute is always generated by Windows CA. Also I've noticed that your CAPolicy.inf has several errors:
1) at least one invlid extension with OID = 1.3.6.1.4.1.311.13.2.3 = OS Version. This is not an extension, but request attribute.
2) PolicyStatemetExtension should not be critical.
3) PolicyStatementExtension refers to a 'Certificate Policy' policy, however this policy is not defined. And you have [OIDPolicy] section which hasn't any reference. 'Certificate Policy' policy name should be renamed to 'OIDPolicy'
4) extensions (except Key Usage) haven't any values.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2011 1:32pm
My Question to you is as per the MS Documents the Basic Constraint Extension can set the pathlength. But the pathlength although I ve set to 1, it shows in the request file as Path Length Constraint = None. Is there any thing to be modified in my script
or any addition is required. Plz explain???With Regards, S Prathaban
July 25th, 2011 11:30pm
[BasicConstraintsExtension]
PathLength = 1
Critical = true
try this (without subject type field)My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2011 2:18am
Thanks a ton Vadims. It worked out well. Thanks for ur help.With Regards, S Prathaban
July 26th, 2011 3:16am