none
How do I set the keyUsage field in my offline, stand-alone root CA certificate to Critical=Yes?

    Question

  • Hello All,

    I've installed Active Directory Certificate Services on Windows Server 2008 R2 Standard Edition several times.  Everything seems to work fine, except that the keyUsage field in the root certificate is set to Critical = No.

    Current standard best practice is that the keyUsage field be set to Critical (see RFC5280, where it clearly states:  "When present, conforming CAs SHOULD mark this extension as critical".

    I am at a loss as to how to do this.  I can't find any documentation either in the forums or technet or MSDN or google.  I've tried putting the following section in CAPolicy.inf, but it didn't work:

    [keyUsage]

    Critical=Yes

    It tried [keyUsageExtension], but still no luck

    I can't find the registry setting or policy setting.

    Can someone help?

    Remember, this is an offline, stand-alone root CA, so there is no ADSI or other Active Directory or Cert templates available to me.
    Monday, November 01, 2010 12:33 PM

Answers

  • Well, I managed to get some help from Microsoft Support, and this is the answer:

    In the CAPolicy.inf file (which must be used BEFORE installing AD CS), you must have the following entries:

     

    [Extensions]

    2.5.29.15 = AwIBhg==

    Critical = 2.5.29.15

     

    This will set the keyUsage field to Critical = True (OID for keyUsage is 2.5.29.15), and will set the value to Certificate Signing, CRL Sign, Offline CRL Signing, Digital Signature

     

    If you do not want Digital Signature as part of the values in keyUsage, then you have to use the following:

    [Extensions]

    2.5.29.15 = AwIBBg==

    Critical = 2.5.29.15

     

    Unfortunately, no one at MS has been able to explain to me the exact meaning of AwIBBg== or AwIBhg as ways to encode keyUsage values....

    • Marked as answer by PPavlenyi Thursday, November 04, 2010 6:16 PM
    Thursday, November 04, 2010 6:14 PM

All replies

  • Well, I managed to get some help from Microsoft Support, and this is the answer:

    In the CAPolicy.inf file (which must be used BEFORE installing AD CS), you must have the following entries:

     

    [Extensions]

    2.5.29.15 = AwIBhg==

    Critical = 2.5.29.15

     

    This will set the keyUsage field to Critical = True (OID for keyUsage is 2.5.29.15), and will set the value to Certificate Signing, CRL Sign, Offline CRL Signing, Digital Signature

     

    If you do not want Digital Signature as part of the values in keyUsage, then you have to use the following:

    [Extensions]

    2.5.29.15 = AwIBBg==

    Critical = 2.5.29.15

     

    Unfortunately, no one at MS has been able to explain to me the exact meaning of AwIBBg== or AwIBhg as ways to encode keyUsage values....

    • Marked as answer by PPavlenyi Thursday, November 04, 2010 6:16 PM
    Thursday, November 04, 2010 6:14 PM
  • If you Base64-decode AwIBBg== or AwIBhg== you have the data on http://support.microsoft.com/kb/888180 in bytes.

     

    AwIBBg== decodes to 03 02 01 06 

    CERT_KEY_CERT_SIGN_KEY_USAGE |
    CERT_OFFLINE_CRL_SIGN_KEY_USAGE |
    CERT_CRL_SIGN_KEY_USAGE

     

    AwIBhg== decodes to 03 02 01 86

    CERT_DIGITAL_SIGNATURE_KEY_USAGE |
    CERT_KEY_CERT_SIGN_KEY_USAGE |
    CERT_OFFLINE_CRL_SIGN_KEY_USAGE |
    CERT_CRL_SIGN_KEY_USAGE

     

    Friday, October 07, 2011 12:08 PM