Checklist on building an Offline Root & Intermediate Certificate Authority (CA)

Note: This is a (very very long) compendium of various recommendations and actions that Microsoft, NIST, and other well respected PKI and cryptography experts have said. If you see something that requires even the slightest revision, do let me know.

Before I get into configuring the CA and its subs, it's good to know that even though MSFT's CryptoAPI requires a self-signed root, some non-MSFT software may follow RFC 3280 and allow any CA to be the trusted root for validation purposes. One reason may be that the non-MSFT software prefers a lower key length.

Here are some configuration notes & guidance on setting up a CA ROOT and the Subs:

Storing the CA's Private Key

  • Best: Store the key on a HSM that supports key counting. Every time the CA's private key is used, the counter will be increased. This improves your audit profile. Look for FIPS140 Level 3 or 4

  • Good: Store the Private key on a smart card. Though I'm unaware of any Smart Card that offers key counting, enabling key counting may give you unexpected results in the event log

  • Acceptable: Store the private key in Windows DPAPI. Ensure that these keys and the Key Enrollment agent don't end up in Roaming Credentials. See also: How to enumerate DPAPI and Roaming Credentials

Key Length

  • Don't use 1024 as a key length... NIST phased it out in 2011, MSFT won't ever add it into your Trusted Root CA store since it won't meet the minimum accepted technical criteria.

  • Root CAs that supports legacy apps should never be larger than 2048 bits. Reason: MSFT Support sees many cases where Java apps or network devices only support key sizes of 2048 bytes. Save the higher bit lengths to CAs that are constrained for a specific purpose (Windows vs Network devices) etc.

  • The NIST recommends 2048 or 3072 bits. ECC is supported, though it may cause issues with device interoperability.

  • Plan for the strongest possible encryption (key length) throughout the PKI, otherwise expect mixed security benefits.

  • Mobile clients have issues (High CPU) or incompatibility with large keys

Expiration

The algorithm & Key length can have a bearing on how long you want certificates to be valid, because they effectively determine how long it might take an attacker crack, ie the stronger the cryptography, the longer you might be prepared to have certificates valid for

One approach is to establish what is the longest validity you'll require for end entity certificates, double it for the issuing ca's, and then double it again for root ca (in two tier). With this approach you would routinely renew each ca certificate when half of it's lifetime was reached - this is because a ca can't issue certificates with an expiry date after that of the ca certificate itself.

Suitable values can only really be determined by your organisation & security policy, but typically a root ca would have a certificate lifetime of 10 or 20 years.

If you're concerned about compatibility, set the expiration date below 2038. This is due to systems that encode a data as seconds since January 1st 1970 over a signed 32 bit integer. Read more about this issue here.

Choosing a Hash

  • You may want to imitate the Federal PKI Management Authority and set up two PKI roots. One modern SHA-256 for all devices that support it, and one legacy SHA-1. Then use cross certificates to map between the two deployments.

  • Review this SHA-2 compatibility list for Microsoft software

Notably:

  • Windows 2003 and XP clients may need a patch for SHA2 Algorithms which include SHA256, SHA384, and SHA512. See more technical information

  • Authenticode and S/MIME with SHA2 hashing is not supported on XP or 2003

  • "Regarding SHA-224 support, SHA-224 offers less security than SHA-256 but takes the same amount of resources. Also SHA-224 is not generally used by protocols and applications. The NSA's Suite B standards also do not include it." source

  • "Do not use SHA2 suite anywhere in the CA hierarchy if you plan to have XP either trust the certificate, validate the certificate, use the certificate in chain validation, or receive a certificate from the CA. Even though XP SP3 allows validation of certiifcates that use SHA2 in the CA hierarchy, and KB 968730 allows limited enrollment of certificates that are signed by a CA using SHA2, any use of discrete signatures blocks out XP entirely." (source)

Choosing a Cryptographic Provider

  • View this list of providers for more information

Enable random serial number generation

As of 2012, this is required if you use MD5 as a hash. It's still a good idea if SHA1 or greater is used. Also see this Windows 2008R2 "how to" for more information.

Create a Certificate Practice Statement

A certificate practice statement is a statement of the practices that IT uses to manage the certificates that it issues. It describes how the certificate policy of the organization is interpreted in the context of the system architecture of the organization and its operating procedures. The IT department is responsible for preparing and maintaining the certificate practice statement. (source)

NOTE: In some situations, such as when digital signatures are used on binding contracts, the certificate practice statement can also be considered a legal statement about the level of security that is provided and the safeguards that are being used to establish and maintain the security level.

For assistance writing a CPS statement, here is a Microsoft produced "Job Aid"

Best Practice: Although it is possible to put freeform text into this field (see notice below), the ideal solution is to use a URL. This allows the policy to be updated without reissuing the certificates, it also prevents unneeded bloating of the certificate store.

[LegalPolicy]
OID = 1.3.6.1.4.1.311.21.43
Notice = "Legal policy statement text"
URL = "http://www.example.microsoft.com/policy/isspolicy.asp"

Certificate Policies

Also known as issuance policies, or assurance policies (in MSFT), this is a self defined OID that describes the amount of trust one should put into your certificate (high, med, low, etc). See this StackExchange answer for how to properly use this field.

Ensure Application Policies and EKU Policies match

Application Policies is an optional Microsoft convention. If you are issuing certificates that include both application policy and EKU extensions, ensure that the two extensions contain identical object identifiers.

Enable CRL checking

Normally, a Windows Server 2003 CA will always check revocation on all certificates in the PKI hierarchy (except the root CA certificate) before issuing an end-entity certificate. To disable this feature, use the following command on the CA, and then restart the CA service:

 certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE  

CRL Distribution Point

Special Guidance for Root CAs

  • This is optional in a Root CA, and if done incorrectly it may expose your private key.

  • All CRL publication is done manually from an offline RootCA to all other sub-CA's. An alternative is to use an audio cable to facilitate one-way communication from the Root to Sub CA's

  • It is perfectly acceptable to have the Root CA issue different CRL locations for each issued certificate to subordinate CAs.

  • Having a CRL at the root is a best practice if two PKIs trust each other and policy mapping is done. This permits the certificate to be revoked.

Getting the CRL "right" is pretty important since it's up to each application to do the CRL check. For example, smart card logon on domain controllers always enforce the revocation check and will reject a logon event if the revocation check cannot be performed or fails.

Note If any certificate in the chain cannot be validated or is found to be revoked, the entire chain takes on the status of that one certificate.

  • A self-signed root CA should not list any CDPs. Most windows applications don't enable the CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT flag and therefore ignore the CDP (this is the default validation mode). If the flag is enabled, and the CDP is blank for the self signed root cert, no error is returned.

  • Don't use HTTPS and LDAPS. These URLs are no longer supported as distribution point references. Reason is that HTTPS and LDAPS URLs use certificates that may or may not be revoked. The revocation checking process can result in revocation loops when HTTPS or LDAPS URLs are used. To determine if the certificate is revoked, the CRL must be retrieved. However, the CRL cannot be retrieved unless the revocation status of the certificates used by HTTPS or LDAPS is determined.

  • Consider using HTTP instead of LDAP- Although AD DS enables publication of CRLs to all domain controllers in the forest, implement HTTP instead of LDAP for revocation information publication. Only HTTP enables the use of the ETag and Cache-Control: Max-age headers providing better support for proxies and more timely revocation information. In addition, HTTP provides better heterogeneous support as HTTP is supported by most Linux, UNIX, and network device clients.

  • Another reason to not use LDAP is because the revocation window to be smaller. When using AD LDAP to replicate CA information, the revocation window couldn't be less than the time for all sites in AD to get the CA update. Oftentimes this replication could take up to 8 hours... that is 8 hours until a smartcard user's access is revoked. 'Todo: the new recommended CRL refresh time is: ?????`

  • Make all the URLs highly available (aka don't include LDAP for external hosts). Windows will slow down the validation process for up to 20 seconds and retry the failed connection repeatedly at least as frequently as every 30 min. I suspect that Pre-fetching will cause this to occur even if the user isn't actively using the site.

  • Monitor the size of your CRL. If the CRL object is so large that CryptoAPI is not able to download the object within the allotted maximum timeout threshold, a “revocation offline” error is returned and the object download is terminated.

Note: CRL distribution over HTTP with ETAG Support may cause issues with IE6 when using Windows 2003 / IIS6, where the TCP connection is continually reset.

  • (Optional) Enable Freshest CRL: This non-critical extension lists the issuers and locations from which to retrieve the delta CRLs. If the “Freshest CRL” attribute is neither present in the CRL nor in the certificate, then the base CRL will be treated as a regular CRL, not as part of a base CRL/delta CRL pair.

The Microsoft CA does not put the “Freshest CRL” extension into issued certificates. However, it is possible to add the “Freshest CRL” extension to an issued certificate. You would have to write code to add it to the request, write a custom policy module, or use certutil –setextension on a pending request. For more information about advanced certificate enrollment, see the “Advanced Certificate Enrollment and Management” documentation on the Microsoft Web site

Warning If delta CRLs are enabled at a CA, both the base CRL and delta CRL must be inspected to determine the certificate’s revocation status. If one of the two, or both, are unavailable, the chaining engine will report that revocation status cannot be determined, and an application may reject the certificate.

CRL Sizing and maintenance (CRL Partitioning)

The CRL will grow 29 bytes for every certificate that is revoked. Accordingly, revoked certificates will be removed from the CRL when the certificate reaches its original expiration date.

Since renewing a CA cert causes a new/blank CRL to be generated, Issuing CAs may consider renewing the CA with a new key every 100-125K certificates to maintain a reasonable CRL size. This issuance number is based on the assumption that approximately 10 percent of the issued certificates will be revoked prior to their natural expiration date. If the actual or planned revocation rate is higher or lower for your organization, adjust the key renewal strategy accordingly. More info

Also consider partitioning the CRL more frequently if the expiration is more than 1 or two years, as the likelihood of revocation increases.

The drawback to this is increased startup times, as each cert is validated by the server.

CRL Security Precautions

If using a CRL, don't sign the CRL with MD5. It's also a good idea to add randomization to the CRL signing key.

Authority Information Access

This field allows the Certificate validation subsystem to download additional certificates as needed if they are not resident on the local computer.

  • A self-signed root CA should not list any AIA locations (see reason here)

  • A maximum of five URLs are allowed in the AIA extension for every certificate in the certificate chain. In addition, a maximum of 10 URLs for the entire certificate chain is also supported. This limitation on the number of URLs was added to mitigate the potential use of “Authority Info Access” references in denial of service attacks.

  • Don't use HTTPS and LDAPS. These URLs are no longer supported as distribution point references. Reason is that HTTPS and LDAPS URLs use certificates that may or may not be revoked. The revocation checking process can result in revocation loops when HTTPS or LDAPS URLs are used. To determine if the certificate is revoked, the CRL must be retrieved. However, the CRL cannot be retrieved unless the revocation status of the certificates used by HTTPS or LDAPS is determined.

Enable OCSP Validation

The OCSP responder is conventionally located at: http://<fqdn of the ocsp responder>/ocsp. This url needs to enabled in the AIA. See these instructions for Windows.

Do know that full OCSP validation is off by default (though it should be "on" for EV certs according to the specification). In addition, enabling OCSP checking does add latency to the initial connection

More secure systems will want to enable OCSP monitoring on the client or the server side

OCSP Cache duration

All OCSP actions occur over the HTTP protocol and therefore are subject to typical HTTP proxy cache rules.

Specifically the Max-age header defines the maximum time that a proxy server or client will cache a CRL or OCSP response before using a conditional GET to determine whether the object has changed. Use this information to configure the web server to set the appropriate headers. Look elsewhere on this page for AD-IIS specific commands for this.

Define a policy in issued certificates

The parent CA defines whether or not to allow CA certificate policies from sub CAs. It is possible to define this setting when a issuer or application policy needs to be included in a sub CA.

Example polices include an EKU for SmartCards, Authentication, or SSL/Server authentication.

  • Beware of certificates without the Certificate Policies extension as it can complicate the Policy Tree. See RFC 5280 for more information

  • Know that policy mappings can replace other policies in the path

  • There is a special policy called anypolicy that alters processing

  • There are extensions that alter anypolicy

  • If you use certificate policies, be sure to mark them as critical otherwise the computed valid_policy_tree becomes empty, turning the policy into a glorified comment.

Monitor the DN length enforcement

The original CCITT spec for the OU field says it should be limited to 64 characters. Normally, the CA enforces x.500 name length standards on the subject extension of certificates for all requests. It is possible that deep OU paths may exceed normal length restrictions.

Cross Certificate Distribution Points

This feature assists where environments need to have two PKIs installed, one for legacy hardware/software that doesn't support modern cryptography, and another PKI for more modern purposes.

Restrict the EKU

In contrast with RFC 5280 that states “in general, [sic] the EKU extension will appear only in end entity certificates." it's a good idea to put constraints on the CA Key usage.

A typical stand-alone CA certificate will contain permissions to create Digital Signatures, Certificate Signing, and CRL signing as key values. This is part of the issue with the FLAME security issue.

The MSFT smart card implementation requires either of the following EKUs and possibly a hotfix

  • Microsoft smart card EKU
  • Public Key Cryptography for the Initial Authentication (PKINIT) client Authentication EKU, as defined in the PKINIT RFC 4556

It also has interesting constraints around validating EKU (link tbd).

If you're interested in having any EKU restrictions you should see this answer regarding OIDs and this regarding contrained certificates

Use caution with Basic Constraints "Path"

The Basic Constraint should describe if the certificate is an "end entity" or not. Adding a path constraint to a intermediate CA may not work as expected since it's an uncommon configuration and clients may not honor it.

Qualified Subordination for Intermediate CAs

  • To limit the types of certificates a subCA can offer see this link, and this one

  • If qualified subordination is done, revoking a cross signed root may be difficult since the roots don't update the CRLs frequently.

Authority Key Identifier / Subject Key Identifier

Note If a certificate’s AKI extension contains a KeyID, CryptoAPI requires the issuer certificate to contain a matching SKI. This differs from RFC 3280 where SKI and AKI matching is optional. (todo: Why would someone choose to implement this?)

AKI matching to find key parent

Give the Root and CA a meaningful name

People will interact with your certificate when importing it, reviewing imported certificates, and troubleshooting. MSFT's recommended practice and requirement is that the root has a meaningful name that identifies your organisation and not something abstract and common like CA1.

This next part applies to names of Intermediate/subCA's that will be constrained for a particular purpose: Authentication vs Signing vs Encryption

Surprisingly, End users and technicians who don't understand PKI's nuances will interact with the server names you choose more often than you think if you use S/MIME or digital signatures (etc).

I personally think it's a good idea to rename the issuing certificates to something more user friendly such as "Company Signer 1" where I can tell at a glance

  • Who is the signature going to come from (Texas A&M or their rival)
  • What is it used for? Encryption vs Signing

It's important to tell the difference between a message that was encrypted between two parties, and one that was signed. One example where this is important is if I can get the recipient to echo a statement I send to them. User A could tell user B "A, I owe you $100". If B responded with an echo of that message with the wrong key, then they effectively digitally notarized (vs just encrypting) a fictitious $100 debt.

Here is a sample user dialog for S/MIME. Expect similar UIs for Brower based certificates. Notice how the Issuer name isn't user friendly.

Select a SMIME certificate.. really?

Alternate Encodings

Note: Speaking of names, if any link in the chain uses an alternate encoding, then clients may not be able to verify the issuer field to the subject. Windows does not normalize these strings during a comparison so make sure the names of the CA are identical from a binary perspective (as opposed to the RFC recommendation).

Name matching to find key parent

High Security/Suite B Deployments

  • Here is information regarding the Suite B algorithms supported in Windows 2008 and R2

    ALGORITHM SECRET TOP SECRET

    Encryption: Advanced Standard (AES) 128 bits 256 bits

    Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) 256 bit curve. 384 bit curve

    Key Exchange: Elliptic Curve Diffie-Hellman (ECDH) 256 bit curve. 384 bit curve

    Hashing: Secure Hash Algorithm (SHA) SHA-256 SHA-384

  • For Suite B compliance, the ECDSA_P384#Microsoft Software Key Service Provider as well as the 384 key size and SHA384 as the hash algorithm may also be selected if the level of classification desired is Top Secret. The settings that correspond with the required level of classification should be used. ECDSA_P521 is also available as an option. While the use of a 521 bit ECC curve may exceed the cryptographic requirements of Suite B, due to the non-standard key size, 521 is not part of the official Suite B specification.

PKCS#1 v2.1

  • XP clients and many non-windows systems do not support this new signature format. This should be disabled if older clients need to be supported. More Info

  • I would only recommend using it once you move to ECC algorithms for asymmetric encryption. (source)

Protect Microsoft CA DCOM ports

The Windows Server 2003 CA does not enforce encryption on the ICertRequest or ICertAdmin DCOM interfaces by default. Normally, this setting is not required except in special operational scenarios and should not be enabled. Only Windows Server 2003 machines by default support DCOM encryption on these interfaces. For example, Windows XP clients will not by default enforce encryption on certificate request to a Windows Server 2003 CA. source

CNG private key storage vs CSP storage

If you enroll Certificate Template v3, the private key goes into the CNG private key storage on the client computer. If you enroll Certificate Template v2 or v1, the private key goes into CSP storage. The certificates will be visible to all applications in both cases, but not their private keys - so most applications will show the certificate as available, but will not be able to sign or decrypt data with the associated private key unless they support CNG storage.

You cannot distinguish between CNG and CSP storages by using the Certificate MMC. If you want to see what storage a particular certificate is using, you must use CERTUTIL -repairstore my * (or CERTUTIL -user -repairstore my *) and take a look at the Provider field. If it is saying "... Key Storage Provider", than it is CNG while all other providers are CSP.

If you create the initial certificate request manually (Create Custom Request in MMC), you can select between "CNG Storage" and "Legacy Key" where legacy means CSP. The following is my experience-based list of what does not support CNG - you cannot find an authoritative list anywhere, so this arrises from my investigations over time:

  • EFS Not supported in Windows 2008/Vista, Supported in Windows 7/2008R2
  • user encryption certificates
  • VPN/WiFi Client (EAPTLS, PEAP Client)

  • Windows 2008/7 Not supported with user or computer certificate authentication

  • TMG 2010 server certificates on web listeners
  • Outlook 2003 user email certificates for signatures or encryption
  • Kerberos Windows 2008/Vista- DC certificates
  • System Center Operations Manager 2007 R2
  • System Center Configuration Manager 2007 R2
  • SQL Server 2008 R2-
  • Forefront Identity Manager 2010 Certificate Management

More information on CNG compatibility is listed here (in Czech, though Chrome handles the auto-translation well)

Smart Cards & Issuing CAs

If you plan on giving users a second smart card for authentication, use a second issuer CA for that. Reason: Windows 7 requirements

Use the Windows command CERTUTIL -viewstore -enterprise NTAuth for troubleshooting Smartcard logins. The local NTAuth store is the result of the last Group Policy download from the Active Directory NTAuth store. It is the store used by smart card logon, so viewing this store can be useful when troubleshooting smart card logon failures.

Decommissioning a PKI Tree

If you deploy two PKI trees, with the intent to decommission the legacy tree at some point (where all old devices have become obsolete or upgraded) it may be a good idea to set the CRL Next Update field to Null. This will (should?) prevent the continual polling for new CRLS to the clients. The reasoning is that once the PKI is decommissioned, there will be no more administration, and no more revoked certs. All remaining certs are simply left to expire.

More information on PKI decommissioning available here


AD CS Specific commands

This is a list of commands relevant to configuring a Windows 2008 R2 CA Server. I removed them from the other post since that informative was getting too long, and not all the commands directly relate to setting up a CA.

This is more of the How to section, rather the "what and why". It also includes version-specific differences between CA versions (2000 vs 2003, vs 2008)


List what Enrollment Policy Edit Flags

Some requests from the client may get automatically stripped based on these hidden server settings.

C:\Users\ChrisLamont>certutil -getreg

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration:

Keys:
  Secure Email Root v1

Values:
  Active                   REG_SZ = Secure Email Root v1
  DBDirectory              REG_SZ = C:\Windows\system32\CertLog
  DBLogDirectory           REG_SZ = C:\Windows\system32\CertLog
  DBTempDirectory          REG_SZ = C:\Windows\system32\CertLog
  DBSystemDirectory        REG_SZ = C:\Windows\system32\CertLog

  DBSessionCount           REG_DWORD = 64 (100)
  LDAPFlags                REG_DWORD = 0

  DBFlags                  REG_DWORD = b0 (176)
    DBFLAGS_MAXCACHESIZEX100 -- 10 (16)
    DBFLAGS_CHECKPOINTDEPTH60MB -- 20 (32)
    DBFLAGS_LOGBUFFERSHUGE -- 80 (128)

  Version                  REG_DWORD = 40001 (262145) -- 4.1
  SetupStatus              REG_DWORD = 6001 (24577)
    SETUP_SERVER_FLAG -- 1
    SETUP_DCOM_SECURITY_UPDATED_FLAG -- 2000 (8192)
    SETUP_SERVER_IS_UP_TO_DATE_FLAG -- 4000 (16384)
CertUtil: -getreg command completed successfully.

C:\Users\ChrisLamont>certutil -getreg policy\editflags

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Secur
e Email Root v1\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditF
lags:

  EditFlags REG_DWORD = 83ee (33774)
    EDITF_REQUESTEXTENSIONLIST -- 2
    EDITF_DISABLEEXTENSIONLIST -- 4
    EDITF_ADDOLDKEYUSAGE -- 8        // <--- THIS ENTRY REMOVES A CLIENT'S Key Agreement  
    EDITF_ATTRIBUTEENDDATE -- 20 (32)
    EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
    EDITF_BASICCONSTRAINTSCA -- 80 (128)
    EDITF_ENABLEAKIKEYID -- 100 (256)
    EDITF_ATTRIBUTECA -- 200 (512)
    EDITF_ATTRIBUTEEKU -- 8000 (32768)
CertUtil: -getreg command completed successfully.

The solution is to run the command certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE which in turn updates

     Configuration\spatula\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:

How to define a policy on a Per CA Basis

To include a policy in issued certificates, enter the following commands at a command prompt:

 certutil -v -setreg policy\EnableRequestExtensionlist "+2.5.29.32"
 certutil –shudown
 net start certsvc

You can disable the setting with

  certutil -v -setreg policy\EnableRequestExtensionlist      "-2.5.29.32"
  certutil –shudown
  net start certsvc

How to define OCSP cache duration

The following commands let you set, modify, and delete the Max-Age header setting.

  appcmd set config /section:httpProtocol /+customHeaders.[name='cacheControlHeader',value='max-age=604800']

To view the current httpProtocol custom headers

  appcmd list config /section:httpProtocol

How to import offline CA certificates into AD

:
: Root CA certificates
:
certutil -dspublish -f concorp-ca-00_CorporateRootCA.crt RootCA
:
: Sub CA certificate
:
certutil -dspublish -f connoam-ca-00_IntermediateCA1.crt SubCA
:
: Root CA CRLs
: Since these are .NET CA CRLS that have the publication location as
: part of the CRL, the publication location is optional
:
:                                              |-- publication location ---|
:
certutil -dspublish -f CorporateRootCA.crl     concorp-ca-00 CorporateRootCA
:
: Sub CA CRLs
:
certutil -dspublish -f IntermediateCA1.crl     connoam-ca-00 IntermediateCA1

How to enable PKCS#1 v1.21

This is enabled when the CAPolicy.inf file has AlternateSignatureAlgorithm=1. Be sure to be aware of compatibility issues.

Finally one should know that installing AD Certificate Services isn't as simple as adding the role. You should check this VBS Installation script and ensure file CAPolicy.inf should be edited as needed for your environment

How to define a Cross Certificate Distribution Point

Windows AD Certificate Services enable this in the CAPolicy.info file with the [CrossCertificateDistributionPointsExtension] entry

Misc: AIA differences when upgrading Windows 2000 CA to Windows 2003

Note that there is a change in behavior between Windows 2000 and 2003 CAs. The AKI extension of certificates issued by Windows CAs differs between Windows 2000 and Windows Server 2003. By default, the following information is stored in the AIA extension of issued certificates.

  • Windows 2000 The AIA extension of certificates issued by the CA includes the LDAP DN of the issuing CA (Issuer name), the serial number of the issuing CA’s certificate, and the key hash of the CA certificate’s public key.

  • Windows Server 2003 The AIA extension of certificates issued by the CA only includes a hash of the public key of the issuing CA, also known as the Key-ID.

The change in behavior is due to chaining errors that could occur when a CA’s certificate was renewed. The default Windows 2000 behavior could result in incomplete chains if the CA certificate used to sign the issued certificate was not available to the client. With the Windows Server 2003 default behavior, if the CA was renewed with the same key pair, any CA certificate for the issuing CA that uses the same key pair could be included in the certificate chain.

You can imitate the old behavior by running this command

 certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERNAME
 certutil -setreg policy\EditFlags -EDITF_ENABLEAKIISSUERSERIAL

Listing certificates in AD

This command will list the certificates published in Active Directory.

certutil -viewstore "ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com?cACertificate?one?objectClass=certificationAuthority"

ISIS MTT v1.1 PKI Compatibility

See this KB Article for procedures, also here is an alternative CAPolicy.inf method for ISIS MTT v1.1


one point on the checklist often gets missed:

  • BACKUPS
  • BACKUPS
  • BACKUPS

esp. if you implement a CA.