Re: IPSEC policies using third party certificates

From: mikee.netsec (
Date: 06/09/05

Date: 9 Jun 2005 13:47:40 -0700

I believe I found my own answer (finally). Changing the key usage
parameter to 0x30 instead of 0xA0 sets the certificate usage for Key
Encipherment, Data Encipherment. This is the only piece I believe I
was missing as the initial certificates and testing appear to be
working. If you use the template below with the certreq utility
(available in the Windows Server 2003 Adminpak.msi) you should be able
generate a PKCS#10 Certificate Request for ANY CA that supports Key
Encipherment and Data Encipherment key usages.

The certreq utility can be run on Windows 2000, XP, and 2003. Since
the Windows 2003 adminpak.msi only runs on XP and Server 2003, you need
to copy the certreq.exe, certadm.dll, certcli.dll, and certutil.exe
files to a local or shared directory to run it on Windows 2000.

Signature= "$Windows NT$"
Subject = "<server fqdn>"
KeySpec = 1
KeyLength = 2048
KeyUsage = 0x30
RequestType = PKCS10
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
Exportable = TRUE
MachineKeySet = FALSE
Silent = TRUE
UseExistingKeySet = FALSE
PrivateKeyArchive = FALSE
EncipherOnly = FALSE
UserProtected = FALSE
CertificateTemplate = "IPSECIntermediateOffline"

Relevant Pages

  • 2K3 Cert Svcs gives invalid policy error on OpenSSL gend cert req
    ... OpenSSL-based UNIX SSL client and server and a Windows Server 2003 ... Standard Edition with Certificate Services for the CA. ... The OpenSSL generated ones look like, ... X509v3 Extended Key Usage: ...
  • Re: 2K3 Cert Svcs gives invalid policy error on OpenSSL gend cert req
    ... Could you please post a test PKCS#10 base 64 encoded request that is failing? ... Standard Edition with Certificate Services for the CA. ... X509v3 Extended Key Usage: ... all regular key usage flags and just have the extended flags, ...
  • Re: PKI - CA setup key usage problem
    ... Use It explains how the Key Usage options are built ... For the AKI, I would recommend leaving the default of the thumbprint of the issuing CA certificate rather than the serial number and issuer combination, as it causes it is better for building certificate chains in environments where certificate renewals have taken place IMHO. ... Signature, Certificate Signing, Off-line CRL Signing, CRL Signing ". ... certutil -setreg policy\EditFlags +EDITF_ENABLEAKIISSUERSERIAL ...
  • RE: PEAP based 802.1x LAN authentication
    ... We are using MS CA with IAS and only enhanced key usage listed is server ... PEAP based 802.1x LAN authentication ... I should install MS CA and generate a certificate for the win2K server ...
  • Re: Program Certificate Information using CrytoAPI
    ... If the certificate has NO restrictions imposed by ... Enhanced Key Usage (ExtendedKeyUsage) then you will always ... Adding Key Usage extension is a *restrictive* addition, ... The certificate information i mean is ...