Standalone Root CA does not enforce KeyUsage settings from CAPolicy.inf when issuing certificates

Daniel

5/5/23, 12:17 PM

I have a standalone root CA (RootCA) and an enterprise subordinate CA (SubCA). Both Windows Server 2019.

The RootCA seems to ignore the CAPolicy.inf file configuration settings, when attempting to sign the SubCA's CSR, as shown in the pending request properties view:

The CAPolicy.inf on the RootCA (%SystemRoot%\CAPolicy.inf) is this:

[Version]
Signature= "$Windows NT$"

[Strings]
szOID_KEY_USAGE = "2.5.29.15"

[Extensions]
%szOID_KEY_USAGE% = AwIBhg==
Critical = %szOID_KEY_USAGE%

During RootCA installation, the CAPolicy.inf was used to make the KeyUsage extension of the root certificate critical. This can be seen in the root certificate properties as well as in the certocm.log: Opened Policy inf: C:\Windows\CAPolicy.inf

The documentation states

The CAPolicy.inf is a configuration file that defines the extensions, constraints, and other configuration settings that are applied to a root CA certificate and all certificates issued by the root CA.

So, why does the RootCA ignore the CAPolicy.inf when issuing a (SubCA) certificate, despite the docs stating otherwise?

109

0 + 0

windows

pki

Score:1

Server

garethTheRed

5/5/23, 5:37 PM

If the CSR has the BasicConstraint extension set to CA=True the CA will default to what you see above. You can override this by running the following on the signing CA (the Root):

certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE

Restart the service, then try again.

0 + 0

Daniel

5/5/23, 8:37 PM

Thanks for that, it worked. Out of curiosity: Can you explain why it is called "Add old Key Usage" and not e.g., "Add default Key Usage" or similar? I don't understand what "old" refers to.

garethTheRed

5/5/23, 10:07 PM

I can only imagine that the original scheme was to sign as per the request at all times. The option was available on Server 2003, so 'Old' is very old - Server 2000.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Standalone Root CA does not enforce KeyUsage settings from CAPolicy.inf when issuing certificates

TH: CA หลักแบบสแตนด์อโลนไม่บังคับใช้การตั้งค่า KeyUsage จาก CAPolicy.inf เมื่อออกใบรับรอง

RO: CA rădăcină autonomă nu impune setările KeyUsage din CAPolicy.inf atunci când emit certificate

RU: Standalone Root CA does not enforce KeyUsage settings from CAPolicy.inf when issuing certificates

VI: CA gốc độc lập không thực thi cài đặt KeyUsage từ CAPolicy.inf khi cấp chứng chỉ

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.