Re: Is it possible??.... Defining Root Certificate KeyUsage

From: Patrick Morrissey (
Date: 10/01/02

From: "Patrick Morrissey" <>
Date: Tue, 1 Oct 2002 14:01:38 -0500

Thanks for the response david. For instance, the self signed certificate
for the offline root and each of the certificates signed by it for the
intermediate servers list every possible key usage defined within the PKI
OID's. IE:
(Ensures the identity of a remote computer, Proves your identity to a remote
computer, Ensures software came from software publisher, Protects software
from alteration after publication, Protects e-mail messages, Allows data to
be signed with the current time, Allows you to digitally sign a certificate
trust list, Allows secure communication on the Internet, Allows data on disk
to be encrypted, Windows Hardware Driver Verification, Windows System
Component Verification, OEM Windows System Component Verification, Embedded
Windows System Component Verification, Key Pack Licenses, License Server
Verification, Smart Card Logon, Digital Rights, File Recovery).

Since the only use these root and intermediate keys are designed for is
certificate signature and CRL signing I would like to restrict their
funcationality to just those uses. When you've installed your CA as an
Enterprise CA you have this capability through policies to designate
certificate types the CA can issue. But in the case of stand-alone CA's
that are recommended for the secure root and the intermediate levels these
options don't seem to be readily available.

Am I making sense?

Thanks again

"David Cross [MS]" <> wrote in message
> What Key Usage would you like to constrain? This is not normal to do...
> --
> David B. Cross [MS]
> --
> This posting is provided "AS IS" with no warranties, and confers no
> "Patrick Morrissey" <> wrote in message
> news:e8NJunXZCHA.2492@tkmsftngp12...
> > I'm setting up a CA hierarchy for our enterprise that will consists of
> > standard 3 tiers from Root to Issuing servers. The Root and
> > tier are standalone CA's and hence do not have access to certificate
> > templates. I would like to restrict the KeyUsage parameter of the self
> > signed root CA and the policy CAs. Is this possible? The capolicy.inf
> > allows definition of ExtendedKeyUsage but not of KeyUsage from what I
> > tell. Anyone had experience with this??
> >
> > Thanks
> > Patrick Morrissey
> >
> >