Spat's WebLog (Steve Patrick)

When things go wrong...

HowTo: (PKI) Specify CERT_KEY_AGREEMENT_KEY_USAGE and CERT_KEY_ENCIPHERMENT_KEY_USAGE at the same time.

HowTo: (PKI) Specify CERT_KEY_AGREEMENT_KEY_USAGE and CERT_KEY_ENCIPHERMENT_KEY_USAGE at the same time.

  • Comments 1

 When you request  Key Encipherment and Key Agreement  in the key usage - we strip off the Key Agreement  flag by default.

Here are the available flags:

#define CERT_DIGITAL_SIGNATURE_KEY_USAGE         0x80
#define CERT_NON_REPUDIATION_KEY_USAGE           0x40
#define CERT_KEY_ENCIPHERMENT_KEY_USAGE      0x20
#define CERT_DATA_ENCIPHERMENT_KEY_USAGE     0x10
#define CERT_KEY_AGREEMENT_KEY_USAGE            0x08
#define CERT_KEY_CERT_SIGN_KEY_USAGE              0x04
#define CERT_OFFLINE_CRL_SIGN_KEY_USAGE          0x02
#define CERT_CRL_SIGN_KEY_USAGE                         0x02
#define CERT_ENCIPHER_ONLY_KEY_USAGE              0x01

If you dump the request before you submit it, via "certutil -dump request.csr" you will see it has the proper flags in the request.

2.5.29.15: Flags = 0, Length = 4
 Key Usage
     Digital Signature, Key Encipherment, Data Encipherment, Key Agreement (b8)

 

However, once you submit it and view the properties you will see it has changed.

certutil -view -restrict requestid=5 -v -out ext:2.5.29.15

Row 1:
  Certificate Extensions:
    2.5.29.15: Flags = 20000(Origin=Policy), Length = 4
    Key Usage
        Digital Signature, Key Encipherment, Data Encipherment (b0)

    0000  03 02 04 b0                                        ....

How can we avoid this?

You remove the flags  on the policy module as follows:

certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE

SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\spatula\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:
 

Old Value:
  EditFlags REG_DWORD = 83ee (33774)
    EDITF_REQUESTEXTENSIONLIST -- 2
    EDITF_DISABLEEXTENSIONLIST -- 4
    EDITF_ADDOLDKEYUSAGE -- 8
    EDITF_ATTRIBUTEENDDATE -- 20 (32)
    EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
    EDITF_BASICCONSTRAINTSCA -- 80 (128)
    EDITF_ENABLEAKIKEYID -- 100 (256)
    EDITF_ATTRIBUTECA -- 200 (512)
    EDITF_ATTRIBUTEEKU -- 8000 (32768)


New Value:
  EditFlags REG_DWORD = 83e6 (33766)
    EDITF_REQUESTEXTENSIONLIST -- 2
    EDITF_DISABLEEXTENSIONLIST -- 4
    EDITF_ATTRIBUTEENDDATE -- 20 (32)
    EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
    EDITF_BASICCONSTRAINTSCA -- 80 (128)
    EDITF_ENABLEAKIKEYID -- 100 (256)
    EDITF_ATTRIBUTECA -- 200 (512)
    EDITF_ATTRIBUTEEKU -- 8000 (32768)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect

 

Thanks to my colleague Jonathan Stephens for the tip.. ;)

-spat

 

Leave a Comment
  • Please add 6 and 5 and type the answer here:
  • Post
  • This is not clear AT ALL. Where are these flags defined ? What does removing that entry implies ? How can I change the key Usage from b8 to 0x06 ?

Page 1 of 1 (1 items)