Re: Win2003 PKI : Subordinate CA certificate parameter


I apologize for being rude. I can't see much clear online documentation
on this issue.

The problem is exactly the same reported by Kris: I need to customize
the setup of a subordinate CA so that its certificate has a Key Usage
value of only 'Certificate Signing, Off-line CRL Signing, CRL Signing
(06)'. I successfully setup the Root CA editing the CAPolicy.inf file
with the lines

[Extensions]
2.5.29.15=AwIBBg==
Critical=2.5.29.15

but the setup of the subordinate CA seems even more tricky.

I used the setreg command you mentioned (certutil -setreg
policy\EditFlags -EDITF_ADDOLDKEYUSAGE) on the Root CA before issuing
the certificate, but the request (just as in the case of Kris) reads
"Key Usage (Digital Signature,...)" and the CA root did not issue the
certificate I want. I certainly miss something, but what ?

Technet
(http://technet2.microsoft.com/windowsserver/en/library/f29fc69b-de1a-45ba-a0dd-a6b3d05137341033.mspx?mfr=true)
did not say much more. PLease help.

Both CAs are Windows 2003.

Thank you a lot in advance.
Luciano

Paul Adare - MVP;3863095 Wrote:
On Fri, 18 Jul 2008 15:49:27 +0530, Luciano01 wrote:

What was the CORRECT solution ????
I'm getting crazy...

You've replied to a really, really old thread which has scrolled off of
my
server and have not detailed the problem.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
A computer program does what you tell it to do, not what you want it to
do.


--
Luciano01
------------------------------------------------------------------------
Luciano01's Profile: http://forums.techarena.in/member.php?u=53203
View this thread: http://forums.techarena.in/showthread.php?t=816171

http://forums.techarena.in

.

Relevant Pages

  • Re: How to determine root CA or end entity programmatically
    ... "Joost Kraaijeveld" wrote ... > I am trying to import a certificate programmatically. ... > I can iport it in the correct store (Root or My)? ... Signing', 'CRL Signing', etc.]. ...
    (microsoft.public.platformsdk.security)
  • Re: Signtool doesnt add entire chain when signing files
    ... you only need to ensure that the intermediate certificates are included in the signature so that the client can build a chain to the root. ... The root needs to be installed as a trusted root certificate on the client in order for the client to trust the certificate. ... Given that you don't have any intermediate certificates, it doesn't matter or not whether they are included in the signature so it should not matter if there is any difference between the wizard mode and the command line tool mode. ...
    (microsoft.public.platformsdk.security)
  • Re: Schannel CertificateChainValidation failing
    ... I am not fully up to speed with certs (root, end entity, ... valid Windows trusted root cert. ... You've enabled certificate revocation checking, and the validation code ...
    (microsoft.public.platformsdk.security)
  • Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
    ... certificate and I get a "Cannot verify certificate chain. ... revocation because the revocation server was offline. ... the root ca? ... Online>>> Online Enterprise Subordinate CA ...
    (microsoft.public.windows.server.security)
  • Re: Newbie wants to learn about PKI Server 2003......
    ... 2003 PKI Certificate Security", and have been lurking here for a bit. ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... All clients that attempt revocation checking will first attempt to retrieve the CRL from the ... level below a self-signed cert, so applications that are 3280 compliant would never check the ...
    (microsoft.public.windows.server.security)
Quantcast