I have an Offline Intermediate CA which is to be signed by a Root CA of non-windows. I ve written capolicy.inf file in windows 2008 like this [Version] Signature="$Windows NT$" [RequestAttributes] Attribute1=1.2.840.113549.1.9.14 [PolicyStatemetExtension] Policies = Certificate Policy Critical=True [OIDPolicy] OID=1.3.4.5.6 ;OID changed [BasicConstraintsExtension] PathLength=1 SubjectType=CA Critical=True [Extensions] 1.3.6.1.4.1.311.13.2.3= 1.3.6.1.4.1.311.21.1= 1.3.6.1.4.1.311.21.7= 2.5.29.15=AwIBBg== Critical=2.5.29.15 ------------------------------------ But in my request file I am getting two attributes as shown Request Attributes: 2 2 attributes: Attribute[0]: 1.3.6.1.4.1.311.2.1.14 (Certificate Extensions) Value[0][0]: Unknown Attribute type Certificate Extensions: 3 2.5.29.19: Flags = 1(Critical), Length = 5 Basic Constraints Subject Type=CA Path Length Constraint=None 2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier 0a cf c2 3b d7 3f 42 06 1a 01 49 34 4a a6 9f 49 f5 c2 15 f1 2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage Certificate Signing, Off-line CRL Signing, CRL Signing (06) Attribute[1]: 1.2.840.113549.1.9.14 (Certificate Extensions) Value[1][0]: Unknown Attribute type Certificate Extensions: 4 2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage Certificate Signing, Off-line CRL Signing, CRL Signing (06) 2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier 0a cf c2 3b d7 3f 42 06 1a 01 49 34 4a a6 9f 49 f5 c2 15 f1 2.5.29.32: Flags = 1(Critical), Length = b Certificate Policies [1]Certificate Policy: Policy Identifier=1.3.4.6 2.5.29.19: Flags = 1(Critical), Length = 5 Basic Constraints Subject Type=CA Path Length Constraint=None 1.How to suppress the extra attribute on the top.? 2. How to make path length =1 Plz help me?????????

1) I gues that you need to remove this section: [RequestAttributes] Attribute1=1.2.840.113549.1.9.14My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks Vadmis for ur reply, But I ve tried that but it is not working. Even after removal of the lines the output is same.With Regards, S Prathaban

It seems that this extra attribute is always generated by Windows CA. Also I've noticed that your CAPolicy.inf has several errors: 1) at least one invlid extension with OID = 1.3.6.1.4.1.311.13.2.3 = OS Version. This is not an extension, but request attribute. 2) PolicyStatemetExtension should not be critical. 3) PolicyStatementExtension refers to a 'Certificate Policy' policy, however this policy is not defined. And you have [OIDPolicy] section which hasn't any reference. 'Certificate Policy' policy name should be renamed to 'OIDPolicy' 4) extensions (except Key Usage) haven't any values.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

My Question to you is as per the MS Documents the Basic Constraint Extension can set the pathlength. But the pathlength although I ve set to 1, it shows in the request file as Path Length Constraint = None. Is there any thing to be modified in my script or any addition is required. Plz explain???With Regards, S Prathaban

[BasicConstraintsExtension] PathLength = 1 Critical = true try this (without subject type field)My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks a ton Vadims. It worked out well. Thanks for ur help.With Regards, S Prathaban