In order to mark the key usage extension as critical and only for: Certificate Signing, Off-line CRL Signing, CRL Signing (06), then this must be declared in the certificate request itself, and the issuing CA (the Root in this case) must also be configured to accept this. In other words, by default the issuing CA will ignore the key usage statement in the request and simply apply Microsofts default configuration - non critical with key usage of: Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86).

The sub CA request must contain the following statement under the [Extensions] label:

2.5.29.15=AwIBBg==
Critical=2.5.29.15

On the issuing CA, it is recommended to see what the current configuration is firtstly, to do this type:

certutil -getreg policy\EditFlags

You should see something like:

It is the "EDITF_ADDOLDKEYUSAGE -- 8" parameter that we need to change, or rather remove, to do this type:

certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE

Even if you are not using certificate templates the certificate template extension will appear in the subordinate CA certificate. It doesn't appear to make any difference in the capolicy.inf file of the requesting sub CA if you try to nullify the extension (i.e. 1.3.6.1.4.1.311.21.7= ). Instead this must be executed on th eissuing CA with the following commands:

Doing this will have an impact on autoenrollment (if that's required), see the following article..

There are several ways in which certificate requests can be processed by issuing Certification Authorities (CA).  The CA can blindly accept requests and issue the certificate without caring about its contents; or, it can apply changes or make additions to the requests in order to conform to its policies.  Note that the request signature cannot be changed.

Two methods have been explored into find the most suitable way to manipulate CA requests to ensure request processing is efficient and its maintenance and support is uncomplicated and achievable. These methods use the Microsoft utilities certutil and certreq and are explained below:

Certreq

To use the certreq method the certificate issuin CA must:

a)      Create a policy.inf file with the additions\constraints that need to be applied;

b)      Apply the policy.inf to the original request creating a PKcs7;

c)       Submit the resulting request; and

d)      Receive and check the resulting certificate.

Create a policy.inf file

For the purpose of this excercise the policy.inf file will stipulate the addition of the Name Constraints extension as follows:

*************************************

[NameConstraintsExtension]

Include = NameConstraintsPermitted

Exclude = NameConstraintsExcluded

Critical = TrUe

[NameConstraintsPermitted]

DNS = .r.mil.uk

UPN = @r.mil.uk

email = @r.mil.uk

DIRECTORYNAME = "dc=r,dc=mil,dc=uk"

DIRECTORYNAME = "ou=Ling,o=inh def,c=gb"

[NameConstraintsExcluded]

; list of user defined excluded DNS names

DNS = dontgothere.com

***************************

This file needs to be saved as anything.inf in an accessible directory

Apply the policy.inf to the request

Using the command prompt execute the following:

Certreq –policy “request file” “custom anything.inf file” “new request file”

During this process you will be prompted for a certificate to resign the request

Submit the request

Use the usual certreq command to submit the new request, for example:

Certreq –submit MySecondRequest.csr

Receive and check the certificate

Then check the Pending container on the CA and issue the certificate

Finally check that the certificate contains the extensions specified in the anything.inf file

Certutil version

First we need to find the DER encoding for the name constraints we want to stipulate.  This is fine if you know how to do this but for this demonstration I shall nick this from a certificate that already has the name constraints extension stipulated (and configured with the name spaces and types we want), this can be done using either certutil or even opensl (probably others too)

·         Certutil –dump –v “certificate with extension you want to nick”; or

·         Openssl asn1parse –in   “certificate with extension you want to nick” –inform DER (or PEM depending on the cert)

Whichever command you use, you need to copy the DER encoding for the name constraints to a text file.

Then you need to find out what the Name Constraints OID is (or any other OID depending on the extension you want to change\add), google is a good bet and Microsoft technet (http://support.microsoft.com/kb/287547).  For name constraints it’s 1.3.6.1.4.1.311.10.3.10

Then you need to submit the request so that it sits in the Pending queue as certutil –setextension only works when the request has already been submitted (check). 

Once the request is in the Pending container execute the following:

Certutil –setextension “request ID” “name constraints OID” “flag” @textfile.txt (as created in X above)
Note: the flag can be 0 for recommend and 1 for critical, type help for full syntax.