HowTo: (PKI) Specify CERT_KEY_AGREEMENT_KEY_USAGE and CERT_KEY_ENCIPHERMENT_KEY_USAGE at the same time.
When you request Key Encipherment and Key Agreement in the key usage - we strip off the Key Agreement flag by default.
Here are the available flags:
#define CERT_DIGITAL_SIGNATURE_KEY_USAGE 0x80
#define CERT_NON_REPUDIATION_KEY_USAGE 0x40
#define CERT_KEY_ENCIPHERMENT_KEY_USAGE 0x20
#define CERT_DATA_ENCIPHERMENT_KEY_USAGE 0x10
#define CERT_KEY_AGREEMENT_KEY_USAGE 0x08
#define CERT_KEY_CERT_SIGN_KEY_USAGE 0x04
#define CERT_OFFLINE_CRL_SIGN_KEY_USAGE 0x02
#define CERT_CRL_SIGN_KEY_USAGE 0x02
#define CERT_ENCIPHER_ONLY_KEY_USAGE 0x01
If you dump the request before you submit it, via "certutil -dump request.csr" you will see it has the proper flags in the request.
2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement (b8)
However, once you submit it and view the properties you will see it has changed.
certutil -view -restrict requestid=5 -v -out ext:2.5.29.15
Row 1:
Certificate Extensions:
2.5.29.15: Flags = 20000(Origin=Policy), Length = 4
Key Usage
Digital Signature, Key Encipherment, Data Encipherment (b0)0000 03 02 04 b0 ....
How can we avoid this?
You remove the flags on the policy module as follows:
certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE
SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\spatula\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:
Old Value:
EditFlags REG_DWORD = 83ee (33774)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ADDOLDKEYUSAGE -- 8
EDITF_ATTRIBUTEENDDATE -- 20 (32)
EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
EDITF_BASICCONSTRAINTSCA -- 80 (128)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ATTRIBUTECA -- 200 (512)
EDITF_ATTRIBUTEEKU -- 8000 (32768)New Value:
EditFlags REG_DWORD = 83e6 (33766)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ATTRIBUTEENDDATE -- 20 (32)
EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
EDITF_BASICCONSTRAINTSCA -- 80 (128)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ATTRIBUTECA -- 200 (512)
EDITF_ATTRIBUTEEKU -- 8000 (32768)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect
Thanks to my colleague Jonathan Stephens for the tip.. ;)
-spat
Comments
- Anonymous
July 18, 2008
This is not clear AT ALL. Where are these flags defined ? What does removing that entry implies ? How can I change the key Usage from b8 to 0x06 ?