Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

capolicy.inf and policy.inf question

132 views
Skip to first unread message

andykendall

unread,
Jan 18, 2007, 6:22:05 AM1/18/07
to
Hi,

We have a 512bit root cert which we need to renew with a larger key. In a
test environment I can do this by creating a capolicy.inf file and
specifying the larger key size along with the root certs' extended key
usages.

My problem is, subsequent certificate requests are then only allowed if the
requested cert has a subset of the root certs' extended key usages (i.e
Application Policies).

I have read that capolicy.inf should be used to configure root ca's and
policy.inf to configure issuing CA's. As for us this is one and the same
thing (i.e. we only have one CA) what is the 'correct' way for us to
proceed?

Regards,


Andy


Paul Adare

unread,
Jan 18, 2007, 6:58:09 AM1/18/07
to
In article <e7$5jLvOH...@TK2MSFTNGP02.phx.gbl>, in the
microsoft.public.security.crypto news group, <<Andy Kendall>>
says...

> We have a 512bit root cert which we need to renew with a larger key. In a
> test environment I can do this by creating a capolicy.inf file and
> specifying the larger key size along with the root certs' extended key
> usages.
>
> My problem is, subsequent certificate requests are then only allowed if the
> requested cert has a subset of the root certs' extended key usages (i.e
> Application Policies).
>

If you don't want to limit the types of certificates that are
issued by your CA then don't include that section in the
capolicy.inf. It would be helpful if you would post your .inf
file.

--
Paul Adare - MVP Virtual Machines
Waiting for a bus is about as thrilling as fishing,
with the similar tantalisation that something,
sometime, somehow, will turn up. George Courtauld

andykendall

unread,
Jan 18, 2007, 8:59:41 AM1/18/07
to
Hi Paul,

Thanks for the reply.

What you suggest does work. The capolicy.inf file I am using is a sample
from the Microsoft PKI book and it has some key usages applied so I assumed
they were required. I have pasted the snippet below:

[EnhancedKeyUsageExtension]
OID = 1.3.6.1.4.1.311.21.6 ; szOID_KP_KEY_RECOVERY_AGENT
OID = 1.3.6.1.4.1.311.10.3.9 ; szOID_ROOT_LIST_SIGNER
OID = 1.3.6.1.4.1.311.10.3.1 ; szOID_KP_CTL_USAGE_SIGNING
Critical = false


If I remove this suggestion, as you suggest everything works - so I take it
these key usgaes are not required for root certs? . Anyway, if I do need to
restrict Key usage for issued certificates (and this has yet to be decided)
then every key usage entered under this section appears in the Application
Policies of the ROOT certificate, which doesn't seem correct.


Andy


"Paul Adare" <pad...@newsguy.com> wrote in message
news:MPG.20192ada6...@msnews.microsoft.com...

Brian Komar [MVP]

unread,
Jan 18, 2007, 3:08:35 PM1/18/07
to
In article <uOSOnjwO...@TK2MSFTNGP06.phx.gbl>, <Andy Kendall> says...

> Hi Paul,
>
> Thanks for the reply.
>
> What you suggest does work. The capolicy.inf file I am using is a sample
> from the Microsoft PKI book and it has some key usages applied so I assumed
> they were required. I have pasted the snippet below:
>
> [EnhancedKeyUsageExtension]
> OID = 1.3.6.1.4.1.311.21.6 ; szOID_KP_KEY_RECOVERY_AGENT
> OID = 1.3.6.1.4.1.311.10.3.9 ; szOID_ROOT_LIST_SIGNER
> OID = 1.3.6.1.4.1.311.10.3.1 ; szOID_KP_CTL_USAGE_SIGNING
> Critical = false
>
>
> If I remove this suggestion, as you suggest everything works - so I take it
> these key usgaes are not required for root certs? . Anyway, if I do need to
> restrict Key usage for issued certificates (and this has yet to be decided)
> then every key usage entered under this section appears in the Application
> Policies of the ROOT certificate, which doesn't seem correct.
>
>
> Andy
>
<snip>
Trust me (the author).
Just an example and not required. By putting those in you are limiting the CA to issuing
certificates that only contain those application policy or EKU OIDs
Brian

andykendall

unread,
Jan 19, 2007, 4:21:14 AM1/19/07
to
Thanks Brian,

Great book by the way - it has been a lifeline for us on this project!

"Brian Komar [MVP]" <bko...@nospam.identit.ca> wrote in message
news:MPG.20198fb9f...@msnews.microsoft.com...

andykendall

unread,
Jan 19, 2007, 4:28:53 AM1/19/07
to
Brian,

So when I do have entries under EnhancedKeyUsageExtension, and then renew a
root certificate, that certificate has the key usages (as Application
Policies). How do I restrict key usages for end user certificates without
sepcifically applying those restricted key usages to the root certificate?

Thanks,

Andy

"Brian Komar [MVP]" <bko...@nospam.identit.ca> wrote in message
news:MPG.20198fb9f...@msnews.microsoft.com...

Paul Adare

unread,
Jan 19, 2007, 5:08:48 AM1/19/07
to
In article <uTXd#w6OHH...@TK2MSFTNGP02.phx.gbl>, in the
microsoft.public.security.crypto news group, <<Andy Kendall>>
says...

> So when I do have entries under EnhancedKeyUsageExtension, and then renew a

> root certificate, that certificate has the key usages (as Application
> Policies). How do I restrict key usages for end user certificates without
> sepcifically applying those restricted key usages to the root certificate?
>

Andy, what does your environment look like exactly? From the
sounds of it you've got a single standalone root CA from which
you issue certificates to end users, correct? What server SKU is
your root CA running?
If your goal is to restrict the types of certificates you want
to issue to end users then you have really two options
(depending on the answers to the above, you may only have the
first option available):

1. Use the section in capolicy.inf and restrict your root CA
such that is can only issue certificate with the intended key
usages.
2. If your CA is an Enterprise Root CA running in Windows Server
2003 Enterprise Edition then you can leave your CA enabled for
all policies and use certificate templates to restrict what
types of certificates you want to issue. You'd only publish the
certificate templates that you wanted to make available and you
could further restrict access to those templates using the DACLs
on the certificate template objects.

In our engagements Brian and I try to get customers to move away
from limiting the usages of root, policy, and issuing CAs as
that is a very inflexible way to control the certificate types
that can be issued.

This article may help you accomplish what you're trying to do
here:

http://www.microsoft.com/technet/security/prodtech/windowsserver
2003/build_ent_root_ca.mspx

or

http://tinyurl.com/2pz7q2

andykendall

unread,
Jan 19, 2007, 6:14:27 AM1/19/07
to
Hi Paul,

We have a single Enterprise CA running on Windows 2003 server Enterprise
edition, so templates are certainly viable for us and in fact, that is how
we restrict what types of certificates can be issued now.

The question I have is more academic than practical (now that I know that
the EnhancedKeyUsageExtension can be ommitted completely). I take your point
about it being a good idea to restrict at the template level rather than
capolicy.inf and I shall certainly be reccomending we stick with that
approach to our policy makers.

However, I am seeking to understand this area more clearly because one of
the questions we face is whether to expand our CA hierarchy from one tier to
two and I suspect this issue may then become relevant. From documents I have
read it seems that policy.inf can be used to restrict cert key usage on
issuing CA's and that capolicy.inf on root CA's. However, I can find very
little practical information on policy.inf. So I wonder, is the 'correct'
way to restrict end user certifcate key usage at the CA level to use
policy.inf and not capolicy.inf? As I have said, my observations are that
entries in the EnhancedKeyUsageExtension of capolicy.inf seem to restrict
certifcates to only having a subset of these key usages EXCEPT when renewing
the root cert which is GRANTED each of the key usages.

Regards, Andy


"Paul Adare" <pad...@newsguy.com> wrote in message

news:MPG.201a62ba2...@msnews.microsoft.com...

0 new messages