PKI - CA setup key usage problem

[Guest Joseph]

Hi all!

 

I am now setting up standalone Certificate Authority (Root & Subordinate CA)

using Windows Server 2003 R2 Standard Edition.

 

Under the default setting, I got "Key Usage" for both CA as "Digital

Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)".

 

For some reasons, I want to change the key usage to "Digital Signature,

Non-Repudiation,

Certificate Signing, Off-line CRL Signing, CRL Signing (c6)". How can I do it?

 

Also, in the "Authority Key Identifier" field, I would like to include both

"Certificate Issuer" & "Certificate Serialnumber" into this field. I tried

the following commands already but it didn't work.

 

certutil -setreg policy\EditFlags +EDITF_ENABLEAKIISSUERNAME

certutil -setreg policy\EditFlags +EDITF_ENABLEAKIISSUERSERIAL

 

Can anyone help me with steps how to setup?

[Guest Peter Foldes]

Joseph

 

You might want to repost this to the following newsgroup which can give you the

proper answer on your Server Security issue on the steps on how to set it up

 

On the web:

http://www.microsoft.com/communities/newsg...server.security

 

 

--

Peter

 

Please Reply to Newsgroup for the benefit of others

Requests for assistance by email can not and will not be acknowledged.

 

"Joseph" <Joseph@discussions.microsoft.com> wrote in message

news:12A24AF8-3E34-429F-94FE-28EC7711D912@microsoft.com...<span style="color:blue">

> Hi all!

>

> I am now setting up standalone Certificate Authority (Root & Subordinate CA)

> using Windows Server 2003 R2 Standard Edition.

>

> Under the default setting, I got "Key Usage" for both CA as "Digital

> Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)".

>

> For some reasons, I want to change the key usage to "Digital Signature,

> Non-Repudiation,

> Certificate Signing, Off-line CRL Signing, CRL Signing (c6)". How can I do it?

>

> Also, in the "Authority Key Identifier" field, I would like to include both

> "Certificate Issuer" & "Certificate Serialnumber" into this field. I tried

> the following commands already but it didn't work.

>

> certutil -setreg policyEditFlags +EDITF_ENABLEAKIISSUERNAME

> certutil -setreg policyEditFlags +EDITF_ENABLEAKIISSUERSERIAL

>

> Can anyone help me with steps how to setup? </span>

[Guest Joseph]

Thanks for your suggestion. I have cross-posted this question to the

newsgroup.

 

"Peter Foldes" wrote:

<span style="color:blue">

> Joseph

>

> You might want to repost this to the following newsgroup which can give you the

> proper answer on your Server Security issue on the steps on how to set it up

>

> On the web:

> http://www.microsoft.com/communities/newsg...server.security

>

>

> --

> Peter

>

> Please Reply to Newsgroup for the benefit of others

> Requests for assistance by email can not and will not be acknowledged.

>

> "Joseph" <Joseph@discussions.microsoft.com> wrote in message

> news:12A24AF8-3E34-429F-94FE-28EC7711D912@microsoft.com...<span style="color:green">

> > Hi all!

> >

> > I am now setting up standalone Certificate Authority (Root & Subordinate CA)

> > using Windows Server 2003 R2 Standard Edition.

> >

> > Under the default setting, I got "Key Usage" for both CA as "Digital

> > Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)".

> >

> > For some reasons, I want to change the key usage to "Digital Signature,

> > Non-Repudiation,

> > Certificate Signing, Off-line CRL Signing, CRL Signing (c6)". How can I do it?

> >

> > Also, in the "Authority Key Identifier" field, I would like to include both

> > "Certificate Issuer" & "Certificate Serialnumber" into this field. I tried

> > the following commands already but it didn't work.

> >

> > certutil -setreg policyEditFlags +EDITF_ENABLEAKIISSUERNAME

> > certutil -setreg policyEditFlags +EDITF_ENABLEAKIISSUERSERIAL

> >

> > Can anyone help me with steps how to setup? </span>

>

> </span>