A question about KeyUsage flags
hello all
can please following question :)
i create .inf file so
[version]
signature="$windows nt$"
[newrequest]
subject="cn=myserver,ou=it,o=mycompany,l=bournemouth,s=dorset,c=uk”
keyspec = 1
keylength = 2048
exportable = true
machinekeyset = true
providername = "microsoft rsa schannel cryptographic provider"
providertype = 12
requesttype = pkcs10
keyusage=0xf0
i create csr using above
certreq -new c:\inf.inf c:\csr.csr
i dump contents of csr
certutil -dump c:\csr.csr
and see following line exptected
key usage
digital signature, non-repudiation, key encipherment, data encipherment (f0)
note f0 in brackets above matches put in inf file (all expected far)
i request cert microsoft enterprise ca specifying workstation template , receive cert back
when open cert in mmc @ "key usage" extension states following
digital signature, key encipherment (a0)
note a0 above in brackets
my question should not show f0 (not sure why 0 there) rather a0 e.g. 5 gone in
keycertsign (5),
from table below
keyusage ::= bit string { digitalsignature (0), nonrepudiation (1), keyencipherment (2), dataencipherment (3), keyagreement (4), keycertsign (5), crlsign (6), encipheronly (7), decipheronly (8) }
is come thing template requesting from, or barking wrong tree?
the key usage on template in ad shows
signature requirements:
digital signature
allow key exchange key encryption
the application policies on template show
client authentication
server authentication
looking @ details on key usage extension on template
there checkbox 'not' ticketed on template labeled 'signature proof of origin (nonrepudiation)' understand.
therefore if enable on template mean f0 appear on cert?
any advice welcome
thanks
ernie
> having issue certificate scom (microsoft system center operations manager 2012 r2)
opsmgr happy 0xa0 key usage. opsmgr certificate same ssl certificate , used provide authentication means. there nothing "non-repudiation" or "data decryption". problem elsewhere, not in keyusages extension.
vadims podāns, aka powershell cryptoguy
weblog: www.sysadmins.lv
powershell pki module: pspki.codeplex.com
check out new: ssl certificate verifier
check out new: powershell file checksum integrity verifier tool.
Windows Server > Security
Comments
Post a Comment