Sign in

Microsoft.com

United States (English)

Brasil (Português)Česká republika (Čeština)Deutschland (Deutsch)España (Español)France (Français)Italia (Italiano)Россия (Русский)대한민국 (한국어)中华人民共和国 (中文)台灣 (中文)日本 (日本語)香港特别行政區 (中文)

Windows Server TechCenter

Windows Server TechCenter > Windows Server Forums > Security > Can't make the Enhanced key usage extention critical

Can't make the Enhanced key usage extention critical

Friday, November 06, 2009 12:24 PMBakkis

0
Sign In to Vote
Hi

I am currently testing the CA functionality in Windows Server 2008 to see if it meets a specific set of requirements.
During this testing i have encountererd the following problem:

I have not been able to mark the enhanced key usage extention as critical. When i check this option during certificate creation it only results in the application policies extention being marked critical and not the enhanced key usage extention. This is a problem as the requirements specifically states that the extended key usage extention (OID 2.5.29.37) shal be marked critical.

Is it possible to make this extention critical? And is it possible to add only the enhanced key usage extention in stead of adding both the enhanced key usage and application policies exetntions?
- Reply
- Quote

Answers

Friday, November 06, 2009 1:33 PMMartin Rublik

0
Sign In to Vote
Hi,

I hadn't search a lot but I could not find a way to make extended key usage critical through UI (Certificate Templates), but you can do this using adsiedit. Be very careful though, ADSIedit is a powerful tool.

Navigate to Services node, Public key services and certificate templates. Pick a certificate template and select properties.

According to http://msdn.microsoft.com/en-us/library/ms679119(VS.85).aspx pkiCriticalExtensions contains a list of extensions that should be marked critical. If you add there 2.5.29.37 then extended key usage will be critical.

Once again be very careful with adsiedit and make sure you backup your template before editing.

HTH

Martin Rublik
- Proposed As Answer byVadims PodansMVPMonday, November 09, 2009 9:54 AM
- Marked As Answer byBakkis Monday, November 09, 2009 11:45 AM
- Reply
- Quote

All Replies

Friday, November 06, 2009 1:33 PMMartin Rublik

0
Sign In to Vote
Hi,

I hadn't search a lot but I could not find a way to make extended key usage critical through UI (Certificate Templates), but you can do this using adsiedit. Be very careful though, ADSIedit is a powerful tool.

Navigate to Services node, Public key services and certificate templates. Pick a certificate template and select properties.

According to http://msdn.microsoft.com/en-us/library/ms679119(VS.85).aspx pkiCriticalExtensions contains a list of extensions that should be marked critical. If you add there 2.5.29.37 then extended key usage will be critical.

Once again be very careful with adsiedit and make sure you backup your template before editing.

HTH

Martin Rublik
- Proposed As Answer byVadims PodansMVPMonday, November 09, 2009 9:54 AM
- Marked As Answer byBakkis Monday, November 09, 2009 11:45 AM
- Reply
- Quote
Sunday, November 08, 2009 12:18 PMOndrej SevecekMVP

0
Sign In to Vote
after such a manual change, you should also increment minor version of the template to let it update client caches.

and again, this is not a supported operation as Martin said.

ondrej.
- Proposed As Answer byVadims PodansMVPMonday, November 09, 2009 9:53 AM
- Reply
- Quote

Need Help with Forums? (FAQ)