Certification Authority Certificate Template (own)

Discussion in 'Windows Server' started by Ronnax, Dec 13, 2006.

  1. Ronnax

    Ronnax Guest


    I'm deploying an Enterprise Root Certification Authority using Win2K3
    enterprise. However, I ran into an issue: one of my applications requires
    that the CA certificate have the "non-repudiation" key usage bit set, but the
    vanilla install issues a certificate (for the CA) without this key usage.

    How can I configure Windows 2003 so that when I install the CA service the
    certificate generate for the CA have my desired key usages?

    Ronnax, Dec 13, 2006
    1. Advertisements

  2. Hi,

    Which application requires this? This is highly unorthadox. Are you sure
    that the requirement is for the CA certificate to have the non-repudiation
    key usage and not for the client certificates? This would be much more
    common configuration and easily accomplished. Is there any documentation
    from the software vendor outlining this requirement?

    Hope this helps,

    Brian Delaney
    Microsoft Canada
    Brian Delaney [MSFT], Dec 14, 2006
    1. Advertisements

  3. Hi there --

    I queried the product team about this, and received the following response
    that I hope is helpful:

    "The problem is that the key usage extension is picked up from the 'CA'
    template (root CA template), if the template is available.

    If the template is not available, then a canned extension is used.

    The 'CA' template is a V1 template, so we do not support editing the

    The best option is to supply a modified KeyUsage extension in
    %windir%\CAPolicy.inf, so it would be picked up during root CA

    This should override the extension supplied by the template as well as the
    canned extension."

    After the CA is installed, certutil –sign could be used to modify the
    extension and re-sign the root CA cert.

    You would have to place a hex dump of the desired extension in an input
    file for certutil –sign to use.

    Then you would have to install the cert, associate it with the private key,
    modify the CA’s registry to use the modified cert and restart the CA.

    James McIllece, Microsoft

    Please do not send email directly to this alias. This is my online account
    name for newsgroup participation only.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    James McIllece [MS], Jan 3, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.