Re: Configure a CAPolicy.inf file

From: Laudon Williams [MSFT] (laudonw_at_online.microsoft.com)
Date: 09/25/03 

Date: Thu, 25 Sep 2003 14:25:17 -0700

[basicconstraintsextension]
pathlength = 13
criticaL=True

[Extensions]
2.5.29.15 = AwIBBg==
Critical = 2.5.29.15

This should do it.

"Anette Andresen" <anette_andresen@hotmail.com> wrote in message
news:u2nOEBegDHA.2576@TK2MSFTNGP11.phx.gbl...
> I'm trying to install and configure a Windows Server 2003 Stand alone root
> CA.
> I have configured most of the CAPolicy.inf file the way I want it using
> examples from
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_CS_Setup.asp
>
> But there is two things I would like to configure:
>
> 1. The path length constraint, and
>
> 2. The key usage field
>
> According to
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/deployguide/dssch_pki_mglu.asp
> is it possible to configure the path length constraint using a
CAPolicy.inf
> file, but how is this exactly done? What should I write in my CAPolicy.inf
> file?
>
> And according to an earlier posting (from Michael Branco dated 2003-08-20)
> concerning "Customizing the Root Certificate" the answer there was that
> changing the key usage was possible with the use of a CAPolicy.inf file
and
> a link to a best practice document was given
>
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/ope
> rate/ws3pkibp.asp)
> But I can't find out how this is done, and again what should I write in my
> CAPolicy.inf file if I in example just want the key usage to be
certificate
> signing and CRL signing?
>
> Regards,
> Anette Andresen
>
>

Relevant Pages

  • Re: PKI - CA setup key usage problem
    ... Use http://support.microsoft.com/kb/888180 It explains how the Key Usage options are built ... For the AKI, I would recommend leaving the default of the thumbprint of the issuing CA certificate rather than the serial number and issuer combination, as it causes it is better for building certificate chains in environments where certificate renewals have taken place IMHO. ... Signature, Certificate Signing, Off-line CRL Signing, CRL Signing ". ... certutil -setreg policy\EditFlags +EDITF_ENABLEAKIISSUERSERIAL ...
    (microsoft.public.windows.server.security)
  • Re: Win2003 PKI : Subordinate CA certificate parameter
    ... I want the key usage on a subordinate ca ... defined only for Certificate Signing, Off-line CRL Signing, CRL Signing ... so there is no CAPolicy.inf on the wannabe subordinate CA. ...
    (microsoft.public.windows.server.security)
  • PKI - CA setup key usage problem
    ... I am now setting up standalone Certificate Authority ... Signature, Certificate Signing, Off-line CRL Signing, CRL Signing ". ... For some reasons, I want to change the key usage to "Digital Signature, ...
    (microsoft.public.security)
  • PKI - CA setup key usage problem
    ... I am now setting up standalone Certificate Authority ... Signature, Certificate Signing, Off-line CRL Signing, CRL Signing ". ... For some reasons, I want to change the key usage to "Digital Signature, ...
    (microsoft.public.windows.server.security)
  • Re: Configure a CAPolicy.inf file
    ... But I wonder what exactly the 2.5.29.15 stands for, and what AwIBBg== means? ... >> changing the key usage was possible with the use of a CAPolicy.inf file ... >> signing and CRL signing? ... >> Regards, ...
    (microsoft.public.windows.server.security)