Re: Win2003 PKI : Subordinate CA certificate parameter

Hi,

You need to change the CAPolicy.inf on the subordinate CA. CAPolicy.inf is used during the enrollment process and the request and its contents depends on the file.

As the dump says:

Luciano01 wrote:
2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Certificate Signing, Off-line CRL Signing,
CRL Signin
g (86)

the request already contains key usage 0x86 described as above and the root CA is issuing a certificate based on that request.

> I understood that the CAPolicy.inf had to be edited only to setup the
> ROOT CA, so there is no CAPolicy.inf on the wannabe subordinate CA. It
> is very possible I misunderstood. If so, what my CAPolicy.inf look like
> to reach that kind of CA certificate ?

CApolicy.inf file is used for customizing the paramaters of *any* (not only root) CA certificate before it's certificate request is generated (either first time or while renewing). It can also define other parameters of a CA prior its installation.

The structure of CAPolicy.inf depends on the determined requirements regarding the subordinate CAs certificate (e.g. key length, extended key usage, information regarding CPS,...).

If you want some further reading I can recommend you the great book written by Brian Komar "Windows Server 2008 PKI and Certificate Security".

If you want just the job done try following CAPolicy.inf on subordinate CA (Not recommended. You should modify this CAPolicy.inf so it will fit your environment)

[Version]
Signature="$Windows NT"

[Extensions]
2.5.29.15=AwIBBg==
Critical=2.5.29.15


Best regards

Martin
.

Relevant Pages

  • Re: 2K3 Cert Svcs gives invalid policy error on OpenSSL gend cert req
    ... Could you please post a test PKCS#10 base 64 encoded request that is failing? ... Standard Edition with Certificate Services for the CA. ... X509v3 Extended Key Usage: ... all regular key usage flags and just have the extended flags, ...
    (microsoft.public.windows.server.security)
  • Re: Win2003 PKI : Subordinate CA certificate parameter
    ... I did manage to create a request ... Key Usage ... Certificate Signing, Off-line CRL Signing, CRL Signing ... Now I have an error when trying to install the certificate and start ...
    (microsoft.public.windows.server.security)
  • Re: Win2003 PKI : Subordinate CA certificate parameter
    ... just to be sure, you want to have the key usage on a subordinate ca defined only for Certificate Signing, Off-line CRL Signing, CRL Signing - 0x06. ... You need to edit the subordinate CA's CAPolicy.inf as this is the place where you specify what kind of information will be present in the request for a certificate. ... You can verify if your's subordinate CA's certificate request contains the right key usage using certutil -dump request.req commmand. ...
    (microsoft.public.windows.server.security)
  • Re: Standalone Subordinate Certificate Server Problems
    ... can you reply by pasting in the sample request in a newsgroup posting so ... Standalone Subordinate Certificate Server Problems ... > error code 1210, that would be helpful. ...
    (microsoft.public.win2000.security)
  • Re: Win2003 PKI : Subordinate CA certificate parameter
    ... I want the key usage on a subordinate ca ... defined only for Certificate Signing, Off-line CRL Signing, CRL Signing ... so there is no CAPolicy.inf on the wannabe subordinate CA. ...
    (microsoft.public.windows.server.security)