Welcome to MSDN Blogs Sign in | Join | Help

HowTo: (PKI) Specify CERT_KEY_AGREEMENT_KEY_USAGE and CERT_KEY_ENCIPHERMENT_KEY_USAGE at the same time.

 When you request  Key Encipherment and Key Agreement  in the key usage - we strip off the Key Agreement  flag by default.

Here are the available flags:

#define CERT_DIGITAL_SIGNATURE_KEY_USAGE         0x80
#define CERT_NON_REPUDIATION_KEY_USAGE           0x40
#define CERT_KEY_ENCIPHERMENT_KEY_USAGE      0x20
#define CERT_DATA_ENCIPHERMENT_KEY_USAGE     0x10
#define CERT_KEY_AGREEMENT_KEY_USAGE            0x08
#define CERT_KEY_CERT_SIGN_KEY_USAGE              0x04
#define CERT_OFFLINE_CRL_SIGN_KEY_USAGE          0x02
#define CERT_CRL_SIGN_KEY_USAGE                         0x02
#define CERT_ENCIPHER_ONLY_KEY_USAGE              0x01

If you dump the request before you submit it, via "certutil -dump request.csr" you will see it has the proper flags in the request.

2.5.29.15: Flags = 0, Length = 4
 Key Usage
     Digital Signature, Key Encipherment, Data Encipherment, Key Agreement (b8)

 

However, once you submit it and view the properties you will see it has changed.

certutil -view -restrict requestid=5 -v -out ext:2.5.29.15

Row 1:
  Certificate Extensions:
    2.5.29.15: Flags = 20000(Origin=Policy), Length = 4
    Key Usage
        Digital Signature, Key Encipherment, Data Encipherment (b0)

    0000  03 02 04 b0                                        ....

How can we avoid this?

You remove the flags  on the policy module as follows:

certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE

SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\spatula\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:
 

Old Value:
  EditFlags REG_DWORD = 83ee (33774)
    EDITF_REQUESTEXTENSIONLIST -- 2
    EDITF_DISABLEEXTENSIONLIST -- 4
    EDITF_ADDOLDKEYUSAGE -- 8
    EDITF_ATTRIBUTEENDDATE -- 20 (32)
    EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
    EDITF_BASICCONSTRAINTSCA -- 80 (128)
    EDITF_ENABLEAKIKEYID -- 100 (256)
    EDITF_ATTRIBUTECA -- 200 (512)
    EDITF_ATTRIBUTEEKU -- 8000 (32768)


New Value:
  EditFlags REG_DWORD = 83e6 (33766)
    EDITF_REQUESTEXTENSIONLIST -- 2
    EDITF_DISABLEEXTENSIONLIST -- 4
    EDITF_ATTRIBUTEENDDATE -- 20 (32)
    EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
    EDITF_BASICCONSTRAINTSCA -- 80 (128)
    EDITF_ENABLEAKIKEYID -- 100 (256)
    EDITF_ATTRIBUTECA -- 200 (512)
    EDITF_ATTRIBUTEEKU -- 8000 (32768)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect

 

Thanks to my colleague Jonathan Stephens for the tip.. ;)

-spat

 

Published Thursday, April 27, 2006 1:41 PM by SpatDSG
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

Friday, July 18, 2008 11:02 AM by Luciano

# re: HowTo: (PKI) Specify CERT_KEY_AGREEMENT_KEY_USAGE and CERT_KEY_ENCIPHERMENT_KEY_USAGE at the same time.

This is not clear AT ALL. Where are these flags defined ? What does removing that entry implies ? How can I change the key Usage from b8 to 0x06 ?

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
 
Page view tracker