Re: Certification Authority Certificate Template (own)

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 03 Jan 2007 13:28:48 -0800

---

=?Utf-8?B?Um9ubmF4?= <Ronnax@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:9913C5B4-5931-474B-A5ED-59D7BEA6F4E3@xxxxxxxxxxxxx:

Hi,

I'm deploying an Enterprise Root Certification Authority using Win2K3
enterprise. However, I ran into an issue: one of my applications
requires that the CA certificate have the "non-repudiation" key usage
bit set, but the vanilla install issues a certificate (for the CA)
without this key usage.

How can I configure Windows 2003 so that when I install the CA service
the certificate generate for the CA have my desired key usages?

Thanks,
R.

Hi there --

I queried the product team about this, and received the following response
that I hope is helpful:

"The problem is that the key usage extension is picked up from the 'CA'
template (root CA template), if the template is available.

If the template is not available, then a canned extension is used.

The 'CA' template is a V1 template, so we do not support editing the
template.

The best option is to supply a modified KeyUsage extension in
%windir%\CAPolicy.inf, so it would be picked up during root CA
installation.

This should override the extension supplied by the template as well as the
canned extension."



After the CA is installed, certutil ?sign could be used to modify the
extension and re-sign the root CA cert.

You would have to place a hex dump of the desired extension in an input
file for certutil ?sign to use.

Then you would have to install the cert, associate it with the private key,
modify the CA?s registry to use the modified cert and restart the CA.


--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

---

• Prev by Date: Re: R2 Schema
• Next by Date: Single Sign-On
• Previous by thread: R2 Schema
• Next by thread: Single Sign-On
• Index(es):
  • Date
  • Thread

---

Relevant Pages Certicate Authority Templates ... Anyone familiar on how to allow the certificate template, ... request from the root Certificate Authority? ... (microsoft.public.security) Re: Certificate extensions ... For example you can see this certificate, which is from our root CA, ... >> Does anybody knows how to add an extension to a certificate template.I have ... Read help or the best practices white paper for ... (microsoft.public.windows.server.security) Re: CA Issue ... it is the CA template. ... >Which template do you use to issue certificate? ... >> know 2 years ago when they set this up, they issued VPN ... (microsoft.public.win2000.security) Re: CA Issue ... Which template do you use to issue certificate? ... Mike ... (microsoft.public.win2000.security) RE: Certsrv and Autoenrollment problem ... Thank you for posting to the SBS Newsgroup. ... so it will not be instantiated on the template ... Certificate Authority snap-in will show the templates in the Certificate ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.general  > 2007-01