Re: Is it possible??.... Defining Root Certificate KeyUsage

From: Patrick Morrissey (pjmorris@rockwellcollins.com)
Date: 10/01/02


From: "Patrick Morrissey" <pjmorris@rockwellcollins.com>
Date: Tue, 1 Oct 2002 14:01:38 -0500


Thanks for the response david. For instance, the self signed certificate
for the offline root and each of the certificates signed by it for the
intermediate servers list every possible key usage defined within the PKI
OID's. IE:
(Ensures the identity of a remote computer, Proves your identity to a remote
computer, Ensures software came from software publisher, Protects software
from alteration after publication, Protects e-mail messages, Allows data to
be signed with the current time, Allows you to digitally sign a certificate
trust list, Allows secure communication on the Internet, Allows data on disk
to be encrypted, Windows Hardware Driver Verification, Windows System
Component Verification, OEM Windows System Component Verification, Embedded
Windows System Component Verification, Key Pack Licenses, License Server
Verification, Smart Card Logon, Digital Rights, File Recovery).

Since the only use these root and intermediate keys are designed for is
certificate signature and CRL signing I would like to restrict their
funcationality to just those uses. When you've installed your CA as an
Enterprise CA you have this capability through policies to designate
certificate types the CA can issue. But in the case of stand-alone CA's
that are recommended for the secure root and the intermediate levels these
options don't seem to be readily available.

Am I making sense?

Thanks again

"David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:#uuQXB9ZCHA.1792@tkmsftngp11...
> What Key Usage would you like to constrain? This is not normal to do...
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> http://support.microsoft.com
>
> "Patrick Morrissey" <pjmorris@rockwellcollins.com> wrote in message
> news:e8NJunXZCHA.2492@tkmsftngp12...
> > I'm setting up a CA hierarchy for our enterprise that will consists of
the
> > standard 3 tiers from Root to Issuing servers. The Root and
intermediate
> > tier are standalone CA's and hence do not have access to certificate
> > templates. I would like to restrict the KeyUsage parameter of the self
> > signed root CA and the policy CAs. Is this possible? The capolicy.inf
> > allows definition of ExtendedKeyUsage but not of KeyUsage from what I
can
> > tell. Anyone had experience with this??
> >
> > Thanks
> > Patrick Morrissey
> >
> >
>
>



Relevant Pages

  • Re: Is it possible??.... Defining Root Certificate KeyUsage
    ... For instance, the self signed certificate ... intermediate servers list every possible key usage defined within the PKI ... Component Verification, OEM Windows System Component Verification, Embedded ... Since the only use these root and intermediate keys are designed for is ...
    (microsoft.public.win2000.security)
  • Re: Is it possible??.... Defining Root Certificate KeyUsage
    ... For instance, the self signed certificate ... intermediate servers list every possible key usage defined within the PKI ... Component Verification, OEM Windows System Component Verification, Embedded ... Since the only use these root and intermediate keys are designed for is ...
    (microsoft.public.inetserver.iis.security)
  • Re: Signtool doesnt add entire chain when signing files
    ... you only need to ensure that the intermediate certificates are included in the signature so that the client can build a chain to the root. ... The root needs to be installed as a trusted root certificate on the client in order for the client to trust the certificate. ... Given that you don't have any intermediate certificates, it doesn't matter or not whether they are included in the signature so it should not matter if there is any difference between the wizard mode and the command line tool mode. ...
    (microsoft.public.platformsdk.security)
  • Error
    ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...
    (microsoft.public.security)
  • Certutil error
    ... After I ran cmd as an administrator it published the CRL and CRT file in the AD without error. ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...
    (microsoft.public.security)