HowTo: Set the AKI extension field for serial and issuer name
Another post from
http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2005-02/0189.html
“We have a Windows2003 box which is currently issuing certificates with an
Authority Key Identifier extension with a KeyID only (i.e. KeyID=ed 2a 47 a4
e9 09 5a ec 9e 51 1a 81 04 58 78 87 61 3f 94 fc).
How do we add the IsserName and IssuerSerial number to the AKI field?
Note: the certutil "-setreg policy\EditFlags +EDITF_ENABLEAKIISSUERSERIAL"
and
"certutil -setreg policy\EditFlags +EDITF_ENABLEAKIISSUERNAME" fail to add
these fields to the issued certificates. “
ANSWER:
For a Windows 2003 CA you also need to set the following:
certutil -setreg ca\CRLEditFlags +EDITF_ENABLEAKIISSUERNAME
certutil -setreg ca\CRLEditFlags +EDITF_ENABLEAKIISSUERSERIAL
The first one (certutil -setreg ca\CRLEditFlags) will enable the CA to generate the extension with these fields populated.
The second one (certutil "-setreg policy\EditFlags) will tell the policy module to leave the fields in the extension
Spat
PS:
-
My posts seem to vary in text size.... one day Ill figure this out.
-
My URL links dont show up as links when viewed from the main blogs.msdn.com page - I noticed some folks do show up right.. one day Ill figure this out too.
-
It would be really cool if I could search within blogs.msdn.com -- say I only wanted hits from within these blogs.
