How to make a stand-alone certification authority that is running Windows Server 2003 with Service Pack 1 or an x64-based version of Windows Server 2003 compliant with ISIS-MTT version 1.1 (888180)



The information in this article applies to:

  • Microsoft Windows Server 2003 SP1, when used with:
    • Microsoft Windows Server 2003, Standard Edition
    • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard x64 Edition

SUMMARY

If you want to make a stand-alone certification authority (CA) compliant with the ISIS-MTT version 1.1 standard, follow the steps that are described in this article. The issuing CA must force UTF-8 encoding. After a certificate request is submitted, the key usage attribute must be marked as "critical" during the certificate submission process. You can then issue and verify the certificate.

INTRODUCTION

ISIS-MTT is a new German standard for Public Key Infrastructure (PKI) interoperability. ISIS-MTT defines data formats and communication protocols to be employed in interoperable PKI-based applications. The standard focuses on security services for authentication. These services include user identification and data integrity, confidentiality, and non-repudiation. The standard was developed by the German government together with banking, industrial, and academic interests.

To make the Windows certification authority (CA) compliant with ISIS-MTT version 1.1, you must complete specific configuration steps. This step-by-step article describes how to enroll certificates that comply with the ISIS-MTT requirements for a stand-alone CA.

Note Your CA must be a server that is running Microsoft Windows Server 2003 Service Pack 1 (SP1), an x64-based version of Windows Server 2003, or a later version of Windows.

Important The configuration changes that are documented in this article must be applied to the CA that enrolls the certificate. In a PKI topology, this is the parent CA of the certificate requester. If a CA certificate is requested from a subordinate CA, the type of CA that requests the certificate is not relevant.

Use the step-by-step directions in this article if the following conditions are true:
  • The issuing CA issues ISIS-MTT-compliant certificates to subordinate CAs or to end-entities.
  • The issuing CA takes one of the following roles:
    • Stand-alone root CA
    • Stand-alone subordinate CA
To configure the issuing CA correctly, use the following methods:
  • Configure the issuing CA to force UTF8 encoding.
  • Mark the key usage attribute as critical during certificate submission processing.
  • For CA certificates, omit the digital signature entry in the key usage section.
back to the top

Enforce UTF8 encoding

After you configure a CA to force UTF8 encoding, the UTF8 setting applies to all certificates that are issued with this CA. At the CA that must issue ISIS-MTT-compliant certificates, follow these steps:
  1. Click Start, click Run, type cmd, and then click OK.
  2. Type the following, and then press ENTER:

    certutil -setreg ca\forceteletex +0x20

    This command sets the flag so that the CA always encodes the subject with UTF8.
  3. To stop and then restart the CA service, type the following at a command prompt. Press ENTER after each command.

    net stop "certificate services"

    net start "certificate services"

To undo this change, follow these steps:
  1. Type the following at a command prompt, and then press ENTER:

    certutil -setreg ca\forceteletex -0x20

  2. To stop and then restart the CA service, type the following commands. Press ENTER after each command.

    net stop "certificate services"

    net start "certificate services"

Note Versions of Windows that are earlier than Windows Server 2003 SP1 cannot interpret the "0x20" bit and will ignore it.

back to the top

Submit the certificate request

Because stand-alone CAs do not support certificate templates, the key properties must be set during certificate request processing. To do this, follow these steps:
  1. On the issuing CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Right-click your certificate, and then click Properties.
  3. Click the Policy Module tab, and then click Properties.
  4. Click Set the certificate request status to pending. The administrator must explicitly issue the certificate, and then click OK.
  5. Create a certificate request file to use with the subordinate CA or with the end-entity.
  6. On the subordinate CA or end-entity, submit the certificate request to the stand-alone CA. To do this, use one of the following methods.

    Method 1: Submit the CA by using a Web interface

    For information about how to submit the CA by using a Web interface, visit the following Microsoft Web site, and then see "To request a certificate from a Windows Server 2003 CA using a PKCS #10 or PKCS #7 file":

    Method 2: Submit the CA by using the Certreq command

    1. At a command prompt, type certreq -submit Path_To_Request_File\Certificate_Request_Filename, and then click OK.
    2. In the Select a certification authority (CA) you want to use list, click the certificate request file from your issuing CA, and then click OK.
  7. Note the certificate Request-ID that is returned.
To change the key usage and to mark it as critical, see the "Change the key usage, and then mark it as critical" section. To leave the default key usage, but to mark the key usage as critical, see the "Leave the default key usage, but mark it as critical" section.

Note The ISIS-MTT standard requires that the name of a CA contain the following distinguished name attributes:
  • countryName (c)
  • organizationName (o)
The requesting CA must choose an appropriate name for the CA.

back to the top

Change the key usage, and then mark it as critical

By default, the setting for key usage of CA certificates in Windows is different from the setting for key usage of CA certificates in ISIS-MTT. A CA certificate that is compliant with ISIS-MTT carries the following key usage:

Certificate Signing, Off-line CRL Signing, CRL Signing

To apply this key usage if a CA certificate is requested, type the following at a command prompt, and then press ENTER:

echo 03 02 01 06>File_Name.txt

For an explanation of the hexadecimal numbers that are used in this command, see the "Interpret key usage" section.

To modify the pending CA certificate request to set the key usage and to mark it as critical, type the following at a command prompt, and then press ENTER:

certutil -setextension Request_ID_Noted_ In_Step_7_Of_The_Submit_The_Certificate_Request_Section 2.5.29.15 1 @File_Name.txt


back to the top

Leave the default key usage, but mark it as critical

Use this method only if the key usage was not changed and must be set to critical.

To do this, type the following at a command prompt, and the press ENTER:

certutil -setextension Request_ID_Noted_ In_Step_7_Of_The_Submit_The_Certificate_Request_Section 2.5.29.15 1

For an explanation of the hexadecimal numbers that are used in this command, see the "Interpret key usage" section.

back to the top

Issue and verify the certificate

  1. Issue the pending request.
  2. To verify that the certificate was created correctly, type the following command at a command prompt, and then press ENTER:

    certutil -v Path_Of_File/Certificate_File

  3. View the file output to make sure that the common name is formatted as CERT_RDN_UTF8_STRING.
  4. Make sure that the key usage is set correctly.
  5. Make sure that the Critical flag is set for the key usage object identifier 2.5.29.15.
back to the top

Interpret key usage

The key usage is represented as a bit string. The first byte is the encoding of the bit string type. This is static 03. The second bit defines the length of the value and is set to 02. The following bits represent the actual value of the bit string where 01 is fixed. The key usage values are defined in the Wincrypt.h include file as follows:

#define CERT_DIGITAL_SIGNATURE_KEY_USAGE 0x80
#define CERT_NON_REPUDIATION_KEY_USAGE 0x40
#define CERT_KEY_ENCIPHERMENT_KEY_USAGE 0x20
#define CERT_DATA_ENCIPHERMENT_KEY_USAGE 0x10
#define CERT_KEY_AGREEMENT_KEY_USAGE 0x08
#define CERT_KEY_CERT_SIGN_KEY_USAGE 0x04
#define CERT_OFFLINE_CRL_SIGN_KEY_USAGE 0x02
#define CERT_CRL_SIGN_KEY_USAGE 0x02
#define CERT_ENCIPHER_ONLY_KEY_USAGE 0x01

For example, the value 03 02 01 86 sets the following key usages with a logical OR operation:

CERT_DIGITAL_SIGNATURE_KEY_USAGE |
CERT_KEY_CERT_SIGN_KEY_USAGE |
CERT_OFFLINE_CRL_SIGN_KEY_USAGE |
CERT_CRL_SIGN_KEY_USAGE

If you want Certificate Revocation List (CRL) signing and certificate signing only, the hexadecimal value must be 03 02 01 06.

back to the top

MORE INFORMATION

Technical support for Windows x64 editions

Your hardware manufacturer provides technical support and assistance for Microsoft Windows x64 editions. Your hardware manufacturer provides support because a Windows x64 edition was included with your hardware. Your hardware manufacturer might have customized the Windows x64 edition installation with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your Windows x64 edition. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site: For product information about Microsoft Windows Server 2003 x64 editions, visit the following Microsoft Web site:

Modification Type:MajorLast Reviewed:6/21/2006
Keywords:kbwinservds kbActiveDirectory kbCertServices kbHOWTOmaster kbinfo KB888180 kbAudITPRO