Win2003 PKI : Subordinate CA certificate parameter

[Kris]

I have installed two Win2003 Standard edition servers. I use one as a standalone root CA. The second is a standalone (no enterprise) subordinate CA. In the root CA I can succesfully change the CApolicy.inf file to make the Root CA certificate keyusage field 'critical' and have the following value: 'Certificate Signing, Off-line CRL Signing, CRL Signing (06)' I want to achieve the same for the Subordinate CA, but the same parameters I used for the Root don't work in the Sub. CApolicy.inf file. Or in any other policy.inf file for that matter.
ex.
[Extensions]
;The Extensions section marks the KeyUsage as critical
2.5.29.15=AwIBBg==
Critical=2.5.29.15

Can anyone help?
Thanks

Kris

[Bauer's]

Try to run the following command before you issue the subordinate certificate -- certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE and see what results you get. I will recommend you go through some documentation based on this. There are ample of resources available on web.

[Kris]

I have tried what you proposed. But I believe the problem is still located in the generated certificate request during install of the subordinate CA. if i dump the request i find:

Certificate Extensions: 3
2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None

2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
64 5f b6 fe 83 df ac e8 30 6d fb 68 5e 24 34 2d 46 ab e8 19

2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

I want to generate a key usage of 0x06. As CApolicy.inf i used:

[basicconstraintsextension]
PathLength=0
Critical=true
[Extensions]
;The Extensions section marks the KeyUsage as critical
; and ensure key usage 0x06: Certificate Signing, Off-line CRL Signing, CRL Signing (06)
;
2.5.29.15=AwIBBg==
Critical=2.5.29.15

But both pathlength and keyusage is not as i want it.

[Kris]

I am facing one more issue. The above solution was really helpful. But still it looks there is some issue with configuration. I am yet confused to mention that in detail but looking forward to some information on that soon. Thanks.

[Javalr]

I had provided a link that refer a number of different articles to configure Windows Server. I am sure that will be helpful and will offer you detailed description on what you are looking for. It is necessary that you check the settings properly. There might be some small fix available. Try to work with default settings.

Windows Server 2003

[Luciano01]

Don't forget DC <G>. I am not are of any formal listing that is public information. What was the CORRECT solution ???? I am getting crazy. You've replied to a really, really old thread which has scrolled off of my server and have not detailed the problem.

[Kris]

Thanks a lot Martin

That solution you provided works perfectly. I can now use T (title) also.
I didn't see that website your referred too before, was quiet helpfull.

I still have one problem that remains:
My sub ca does not add the Basiccontraint extension to the certificate. Furthermore I also like to make it critical. While I can successfully generate the request that contains these parameters:

C:\PKI\test>certutil.exe -setextension 25 2.5.29.19 1 @bc.txt
0000 30 00 0.
CertUtil: -setextension command completed successfully.

The resulting certificate doesn't contain it.

I have also done the following but no change... Any idea's?

C:\PKI\test>certutil -setreg policy\EditFlags -EDITF_BASICCONSTRAINTSCRITICAL
SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\KFBN-FRNB Issuing CA Class A\PolicyModules\Certificate
Authority_MicrosoftDefault.Policy\EditFlags:

Old Value:
EditFlags REG_DWORD = 83e6 (33766)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ATTRIBUTEENDDATE -- 20 (32)
EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
EDITF_BASICCONSTRAINTSCA -- 80 (128)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ATTRIBUTECA -- 200 (512)
EDITF_ATTRIBUTEEKU -- 8000 (32768)

New Value:
EditFlags REG_DWORD = 83a6 (33702)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ATTRIBUTEENDDATE -- 20 (32)
EDITF_BASICCONSTRAINTSCA -- 80 (128)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ATTRIBUTECA -- 200 (512)
EDITF_ATTRIBUTEEKU -- 8000 (32768)

Kris

[Luciano01]

I apologize for being rude. I can't see much clear online documentation on this issue. The problem is exactly the same reported by Kris: I need to customize the setup of a subordinate CA so that its certificate has a Key Usage value of only 'Certificate Signing, Off-line CRL Signing, CRL Signing (06)'. I successfully setup the Root CA editing the CAPolicy.inf file with the lines :
[Extensions]
2.5.29.15=AwIBBg==
Critical=2.5.29.15

But the setup of the subordinate CA seems even more tricky. I used the setreg command you mentioned (certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE) on the Root CA before issuing the certificate, but the request (just as in the case of Kris) reads "Key Usage (Digital Signature,...)" and the CA root did not issue the certificate I want. I certainly miss something, but what ? Technet (http://technet2.microsoft.com/window....mspx?mfr=true) did not say much more. PLease help.

Both CAs are Windows 2003.

[Hayworth]

Just to be sure, you want to have the key usage on a subordinate ca defined only for Certificate Signing, Off-line CRL Signing, CRL Signing - 0x06. And you have edited the Root CA CAPolicy.inf? I think that this is the issue. You need to edit the subordinate CA's CAPolicy.inf as this is the place where you specify what kind of information will be present in the request for a certificate. You can verify if your's subordinate CA's certificate request contains the right key usage using certutil -dump request.req commmand.

[Luciano01]

Hi Martin,

exactly, I want (my boss wants) the key usage on a subordinate ca defined only for Certificate Signing, Off-line CRL Signing, CRL Signing - 0x06.

I understood that the CAPolicy.inf had to be edited only to setup the ROOT CA, so there is no CAPolicy.inf on the wannabe subordinate CA. It is very possible I misunderstood. If so, what my CAPolicy.inf look like to reach that kind of CA certificate ?

My dumps all show the same frustrating values:

-----------------------------------------------
[...]
Request Attributes: 3
3 attributes:

Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version)
Value[0][0]:
5.2.3790.2.Service Pack 2

Attribute[1]: 1.3.6.1.4.1.311.2.1.14 (Certificate Extensions)
Value[1][0]:
Unknown Attribute type
Certificate Extensions: 3
2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None

2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
a9 32 4d 2d 6e 72 60 d1 cc 81 f1 3f 91 e9 c2 92 6a 35 db f0

2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signin
g (86)


Attribute[2]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[2][0]:
Unknown Attribute type
Certificate Extensions: 5
1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3
CA Version
V0.0

2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
a9 32 4d 2d 6e 72 60 d1 cc 81 f1 3f 91 e9 c2 92 6a 35 db f0

1.3.6.1.4.1.311.20.2: Flags = 0, Length = c
Certificate Template Name
SubCA

2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signin
g (86)

2.5.29.19: Flags = 1(Critical), Length = 5
Basic Constraints
Subject Type=CA
Path Length Constraint=None
[...]
-----------------------------------------------

Thank you so much for your reply and your help (it's 6pm here so I have to rush away

[IRVING]

You have to work with CAPolicy.inf here. It is located on the subordinate CA. This inf is used for the enrollment process and I am sure it is going to help you. The content of this files basically depends on the file. You can use to customize the parameter and use them before CA installation.

[Luciano01]

Thank you so much for your answer. I did manage to create a request that reads:

2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Certificate Signing, Off-line CRL Signing, CRL Signing (06)

Now I have an error when trying to install the certificate and start the service. I'll try to restart the whole procedure from the beginning becouse I might have misconfigured something. Let you you know here soon. CApolicy.inf file is used for customizing the paramaters of *any* (not only root) CA certificate before it's certificate request is generated (either first time or while renewing). It can also define other parameters of a CA prior its installation. The structure of CAPolicy.inf depends on the determined requirements regarding the subordinate CAs certificate (e.g. key length, extended key usage, information regarding CPS,...). It's still a bit tricky because both Certification Services setup and the certificate installation have to be done with an Enterprise Admin accont. And still until you install the certificate the System event log shows some DCOM error. Thanks all for support. I'll keep following this forum and try to go through the book Martin suggested before asking for help again.

[hvthang]

Dear all,
I have a problem with PathLenConstraint value,
My subordinate CA has already setup, but when i check its certificate, the PathLenConstraint value is none, so how can i change it to zero or some thing different.

Thanks,

[shashi mehta]

I have problem error429 activex component cant create object. Is this related to the post that you are responding to?