Win2003 PKI : Subordinate CA certificate parameter

[Kris]

I have installed two Win2003 Standard edition servers. I use one as a standalone root CA. The second is a standalone (no enterprise) subordinate CA.

In the root CA I can succesfully change the CApolicy.inf file to make the Root CA certificate keyusage field 'critical' and have the following value: 'Certificate Signing, Off-line CRL Signing, CRL Signing (06)'

I want to achieve the same for the Subordinate CA, but the same parameters I used for the Root don't work in the Sub. CApolicy.inf file. Or in any other policy.inf file for that matter.

ex.
[Extensions]
;The Extensions section marks the KeyUsage as critical
2.5.29.15=AwIBBg==
Critical=2.5.29.15

Can anyone help?
Thanks

Kris

Before you issue the subordinate CA certificate you need to run the
following command on the root CA:

certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE

[Kris]

I have tried what you proposed. But I believe the problem is still located in the generated certificate request during install of the subordinate CA. if i dump the request i find:

Certificate Extensions: 3
2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None

2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
64 5f b6 fe 83 df ac e8 30 6d fb 68 5e 24 34 2d 46 ab e8 19

2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

I want to generate a key usage of 0x06. As CApolicy.inf i used:

[basicconstraintsextension]
PathLength=0
Critical=true
[Extensions]
;The Extensions section marks the KeyUsage as critical
; and ensure key usage 0x06: Certificate Signing, Off-line CRL Signing, CRL Signing (06)
;
2.5.29.15=AwIBBg==
Critical=2.5.29.15

But both pathlength and keyusage is not as i want it.

[Kris]

Thanks Paul; This was indeed the correct solution.

Do you have any idea's about my other problem:
http://forums.techarena.in/showthread.php?t=827315

Regards

Hi,

maybe this link is going to be useful
http://technet2.microsoft.com/window....mspx?mfr=true
check out the following

-SNIP-
SubjectTemplate
Registry Path

\CertSvc\Configuration\CAName\SubjectTemplate
Version

Windows Server 2003 and Windows 2000 Server

This setting contains an ordered list of the subject relative distinguished name
elements that are allowed in the Subject field of certificates issued by the CA.

This setting can only be set to a small, fixed list of relative distinguished
name elements supported by the CA. If during request processing a listed
relative distinguished name field is empty, or if the field is not populated by
the request Subject field or by the policy module, the element will not be
included. If the registry value is completely empty, the binary subject encoding
from the request is passed through to the issued certificate unmodified.
-SNIP-

Default setting is

EMail
CommonName
OrganizationalUnit
Organization
Locality
State
DomainComponent
Country

Which are those fields that 'work' in your case.

[Luciano01]

Don't forget DC <G>
I am not are of any formal listing that is public information.


What was the CORRECT solution ????
I'm getting crazy...


You've replied to a really, really old thread which has scrolled off of my
server and have not detailed the problem.

[Kris]

Thanks a lot Martin

That solution you provided works perfectly. I can now use T (title) also.
I didn't see that website your referred too before, was quiet helpfull.

I still have one problem that remains:
My sub ca does not add the Basiccontraint extension to the certificate. Furthermore I also like to make it critical. While I can successfully generate the request that contains these parameters:

C:\PKI\test>certutil.exe -setextension 25 2.5.29.19 1 @bc.txt
0000 30 00 0.
CertUtil: -setextension command completed successfully.

The resulting certificate doesn't contain it.

I have also done the following but no change... Any idea's?

C:\PKI\test>certutil -setreg policy\EditFlags -EDITF_BASICCONSTRAINTSCRITICAL
SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\KFBN-FRNB Issuing CA Class A\PolicyModules\Certificate
Authority_MicrosoftDefault.Policy\EditFlags:

Old Value:
EditFlags REG_DWORD = 83e6 (33766)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ATTRIBUTEENDDATE -- 20 (32)
EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
EDITF_BASICCONSTRAINTSCA -- 80 (128)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ATTRIBUTECA -- 200 (512)
EDITF_ATTRIBUTEEKU -- 8000 (32768)

New Value:
EditFlags REG_DWORD = 83a6 (33702)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ATTRIBUTEENDDATE -- 20 (32)
EDITF_BASICCONSTRAINTSCA -- 80 (128)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ATTRIBUTECA -- 200 (512)
EDITF_ATTRIBUTEEKU -- 8000 (32768)

Kris

[Luciano01]

I apologize for being rude. I can't see much clear online documentation on this issue.

The problem is exactly the same reported by Kris: I need to customize the setup of a subordinate CA so that its certificate has a Key Usage value of only 'Certificate Signing, Off-line CRL Signing, CRL Signing (06)'. I successfully setup the Root CA editing the CAPolicy.inf file with the lines

[Extensions]
2.5.29.15=AwIBBg==
Critical=2.5.29.15

but the setup of the subordinate CA seems even more tricky.

I used the setreg command you mentioned (certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE) on the Root CA before issuing the certificate, but the request (just as in the case of Kris) reads "Key Usage (Digital Signature,...)" and the CA root did not issue the certificate I want. I certainly miss something, but what ?

Technet (http://technet2.microsoft.com/window....mspx?mfr=true) did not say much more. PLease help.

Both CAs are Windows 2003.

Just to be sure, you want to have the key usage on a subordinate ca defined only
for Certificate Signing, Off-line CRL Signing, CRL Signing - 0x06.

And you have edited the Root CA CAPolicy.inf? I think that this is the issue.
You need to edit the subordinate CA's CAPolicy.inf as this is the place where
you specify what kind of information will be present in the request for a
certificate.

You can verify if your's subordinate CA's certificate request contains the right
key usage using certutil -dump request.req commmand.

[Luciano01]

Hi Martin,

exactly, I want (my boss wants) the key usage on a subordinate ca defined only for Certificate Signing, Off-line CRL Signing, CRL Signing - 0x06.

I understood that the CAPolicy.inf had to be edited only to setup the ROOT CA, so there is no CAPolicy.inf on the wannabe subordinate CA. It is very possible I misunderstood. If so, what my CAPolicy.inf look like to reach that kind of CA certificate ?

My dumps all show the same frustrating values:

-----------------------------------------------
[...]
Request Attributes: 3
3 attributes:

Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version)
Value[0][0]:
5.2.3790.2.Service Pack 2

Attribute[1]: 1.3.6.1.4.1.311.2.1.14 (Certificate Extensions)
Value[1][0]:
Unknown Attribute type
Certificate Extensions: 3
2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None

2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
a9 32 4d 2d 6e 72 60 d1 cc 81 f1 3f 91 e9 c2 92 6a 35 db f0

2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signin
g (86)


Attribute[2]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[2][0]:
Unknown Attribute type
Certificate Extensions: 5
1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3
CA Version
V0.0

2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
a9 32 4d 2d 6e 72 60 d1 cc 81 f1 3f 91 e9 c2 92 6a 35 db f0

1.3.6.1.4.1.311.20.2: Flags = 0, Length = c
Certificate Template Name
SubCA

2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signin
g (86)

2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None
[...]
-----------------------------------------------

Thank you so much for your reply and your help (it's 6pm here so I have to rush away

Hi,

You need to change the CAPolicy.inf on the subordinate CA. CAPolicy.inf is used
during the enrollment process and the request and its contents depends on the file.


CApolicy.inf file is used for customizing the paramaters of *any* (not only
root) CA certificate before it's certificate request is generated (either first
time or while renewing). It can also define other parameters of a CA prior its
installation.

The structure of CAPolicy.inf depends on the determined requirements regarding
the subordinate CAs certificate (e.g. key length, extended key usage,
information regarding CPS

If you want some further reading I can recommend you the great book written by
Brian Komar "Windows Server 2008 PKI and Certificate Security".

If you want just the job done try following CAPolicy.inf on subordinate CA (Not
recommended. You should modify this CAPolicy.inf so it will fit your environment)

[Version]
Signature="$Windows NT"

[Extensions]
2.5.29.15=AwIBBg==
Critical=2.5.29.15

[Luciano01]

Hi Martin,

thank you so much for your answer. I did manage to create a request that reads:

2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Certificate Signing, Off-line CRL Signing, CRL Signing (06)

Now I have an error when trying to install the certificate and start the service. I'll try to restart the whole procedure from the beginning becouse I might have misconfigured something. Let you you know here soon.

CApolicy.inf file is used for customizing the paramaters of *any* (not only
root) CA certificate before it's certificate request is generated (either first
time or while renewing). It can also define other parameters of a CA prior its
installation.

The structure of CAPolicy.inf depends on the determined requirements regarding the subordinate CAs certificate (e.g. key length, extended key usage, information regarding CPS,...).

It's still a bit tricky because both Certification Services setup and the certificate installation have to be done with an Enterprise Admin accont. And still until you install the certificate the System event log shows some DCOM error.

Thanks all for support. I'll keep following this forum and try to go through the book Martin suggested before asking for help again.

[hvthang]

Dear all,
I have a problem with PathLenConstraint value,
My subordinate CA has already setup, but when i check its certificate, the PathLenConstraint value is none, so how can i change it to zero or some thing different.

Thanks,

[shashi mehta]

i have problem error429 activex component cant creat object

Is this related to the post that you are responding to?

Please drop the lousy web interface and access the newsgroup with a
newsreader. If your post is about the same thing as someoene else's post
(but different) then please create a *new* post, with a meaningful
subject line, and plenty of *meat* in the body of the post.

If you are having a problem of some sort (as most posters do), please
give all pertinent information.