locked
New-SelfSignedCertificate set Basic Constraint - Subject is end entity RRS feed

  • Question

  • Hello,

    I need to explicitly set the CA=false basic constraint on a self-signed certificate.

    Looking at the help, this is done with the -TextExtension property, but the help is not clear:

    https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps 

    There's an OUI: 

    • Basic Constraints. 2.5.29.19

    But no clear explanation of how to craft the command to set this basic constraint.

    Is this even possible?

    Wednesday, November 22, 2017 2:43 AM

Answers

  • Should be:

    -TextExtension @("2.5.29.19={text}false")

    The text should accept any keyword.  True/false are keywords.


    \_(ツ)_/


    • Marked as answer by WillPage Wednesday, November 22, 2017 8:59 PM
    • Edited by jrv Wednesday, November 22, 2017 9:07 PM
    Wednesday, November 22, 2017 8:24 PM

All replies

  • See example 3.

    New-SelfSignedCertificate -Type Custom 
    		-Subject "E=patti.fuller@contoso.com,CN=Patti Fuller" 
    		-TextExtension @(
    				"2.5.29.37={text}1.3.6.1.5.5.7.3.4",
    				"2.5.29.17={text}email=patti.fuller@contoso.com&upn=pattifuller@contoso.com"
    				) 
    		-KeyUsage DataEncipherment 
    		-KeyAlgorithm RSA 
    		-KeyLength 2048 
    		-SmimeCapabilities 
    		-CertStoreLocation "Cert:\CurrentUser\My"


    \_(ツ)_/

    Wednesday, November 22, 2017 3:22 AM
  • That example uses -TextExtension, but not for Basic Constraints. I get that it'll be -TextExtension @("2.5.29.19={text}something here, maybe an OID???"

    ..but what exactly?

    Wednesday, November 22, 2017 8:19 PM
  • Should be:

    -TextExtension @("2.5.29.19={text}false")

    The text should accept any keyword.  True/false are keywords.


    \_(ツ)_/


    • Marked as answer by WillPage Wednesday, November 22, 2017 8:59 PM
    • Edited by jrv Wednesday, November 22, 2017 9:07 PM
    Wednesday, November 22, 2017 8:24 PM
  • Awesome thanks. Slight typo, but this has done it:

    -TextExtension @("2.5.29.19={text}false")

    Many thanks.

    Wednesday, November 22, 2017 8:59 PM
  • Sorry.  I fixed the typo for others. 

    \_(ツ)_/

    Wednesday, November 22, 2017 9:07 PM
  • Why is this the answer?  lol... can you context please and documentation... keywords? createsin two properties and values??? 

    Christian CXM

    Friday, February 2, 2018 12:58 PM
  • Hi,

    this worked for me too, but I was wondering if it's possible to add the parameter PathLen, too. There is also no documentation yet, so I tried to guess the right syntax and I was successful with the following:

    TextExtension = @("2.5.29.19={text}cA=true&pathLength=2")

    Greetings,
    Ludwig


    Friday, May 31, 2019 7:58 PM