1

I have a standalone root CA (RootCA) and an enterprise subordinate CA (SubCA). Both Windows Server 2019.

The RootCA seems to ignore the CAPolicy.inf file configuration settings, when attempting to sign the SubCA's CSR, as shown in the pending request properties view:

enter image description here

The CAPolicy.inf on the RootCA (%SystemRoot%\CAPolicy.inf) is this:

[Version]
Signature= "$Windows NT$"

[Strings]
szOID_KEY_USAGE = "2.5.29.15"

[Extensions]
%szOID_KEY_USAGE% = AwIBhg==
Critical = %szOID_KEY_USAGE%

During RootCA installation, the CAPolicy.inf was used to make the KeyUsage extension of the root certificate critical. This can be seen in the root certificate properties as well as in the certocm.log: Opened Policy inf: C:\Windows\CAPolicy.inf

The documentation states

The CAPolicy.inf is a configuration file that defines the extensions, constraints, and other configuration settings that are applied to a root CA certificate and all certificates issued by the root CA.

So, why does the RootCA ignore the CAPolicy.inf when issuing a (SubCA) certificate, despite the docs stating otherwise?

Daniel
  • 6,940
  • 6
  • 33
  • 64

1 Answers1

1

If the CSR has the BasicConstraint extension set to CA=True the CA will default to what you see above. You can override this by running the following on the signing CA (the Root):

certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE

Restart the service, then try again.

garethTheRed
  • 4,539
  • 14
  • 22
  • Thanks for that, it worked. Out of curiosity: Can you explain why it is called "Add old Key Usage" and not e.g., "Add default Key Usage" or similar? I don't understand what "old" refers to. – Daniel Jan 05 '22 at 20:37
  • I can only imagine that the original scheme was to sign as per the request at all times. The option was available on Server 2003, so 'Old' is very old - Server 2000. – garethTheRed Jan 05 '22 at 22:07