Additional Certificate Attributes

[Hendrik Brockhaus]

How can I set additional attributes in the certrqma.asp
web page for certificates to be issued by a Microsoft
Windows 2000 CA (either stand-alone or enterprise)?

 

[David Cross [MS]]

Can you provide an example of what type of attribute you would like to be
set? Some can be set at request time, some can be set at submission time.

 

[David Cross [MS]]

Yes, this can be done: specify "SAN:dns=foo.bar" as a request attribute in
the Additional Attributes text.

For key usage, this has to be defined by the CA template:

Cert templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/confeat/ws03crtm.asp





--
David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hello David,

As an example I would like to issue certificates with a
SubjectAlternativeName of the type DNSname and I would
like to input the DNS name value somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the SubjectAltName
request data in that box. Is that the only way to do it?
What kind of information can I provide in what format in
that box?
How can I provide a KeyUsage attribute and set it critical?

Kind regards,
Hendrik

-----Original Message-----
Can you provide an example of what type of attribute you would like to be
set? Some can be set at request time, some can be set at submission time.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

How can I set additional attributes in the certrqma.asp
web page for certificates to be issued by a Microsoft
Windows 2000 CA (either stand-alone or enterprise)?

.

 

[Vishal Agarwal[MSFT]]

What additional attributes you are interested in putting in the certificate?

Thanks,
Vishal[MSFT]

 

[Laudon Williams [MSFT]]

What do you mean by attributes? What exactly are you trying to do?

 

[Hendrik Brockhaus]

Hello Vishal,

As an example I would like to issue certificates by a
Windows 2000 CA (stand-alone or enterprise) with a
KeyUsage attribute and set it critical and I would like to
input the key usage values somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the KeyUsage request
data in that box. Is that the only way to do it? What kind
of information can I provide in what format in that box?

As a second example I would like to issue certificates by
a Windows 2000 CA (stand-alone or enterprise) with a
SubjectAltName of the type DNSname and I would like to
input the DNS name value somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the SubjectAltName
request data in that box. Is that the only way to do it?
What kind of information can I provide in what format in
that box?
David B. Cross [MS] already gave me the information to set
the SubjectAltName as "SAN:dns=foo.bar", but this does
neither work with my Windows 2000 stand-alone nor with my
Windows 2000 enterprise CA.

Can you help?

Kind regards,
Hendrik

-----Original Message-----
What additional attributes you are interested in putting in the certificate?

Thanks,
Vishal[MSFT]

--
This posting is provided "AS IS" with no warranties, and confers no rights

How can I set additional attributes in the certrqma.asp
web page for certificates to be issued by a Microsoft
Windows 2000 CA (either stand-alone or enterprise)?

.

 

[Hendrik Brockhaus]

Thanks David for your reply, but I am sorry
the "SNA:dns=foo.bar" string in the Advanced Certificate
Request web page (in the Attributes text box) of my
Windows 2000 CA (stand-alone and enterprise) did not work.

Best Regards,
Hendrik

-----Original Message-----
Yes, this can be done: specify "SAN:dns=foo.bar" as a request attribute in
the Additional Attributes text.

For key usage, this has to be defined by the CA template:

Cert templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver 2003/deploy/confeat/ws03crtm.asp





--
David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hello David,

As an example I would like to issue certificates with a
SubjectAlternativeName of the type DNSname and I would
like to input the DNS name value somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the SubjectAltName
request data in that box. Is that the only way to do it?
What kind of information can I provide in what format in
that box?
How can I provide a KeyUsage attribute and set it critical?

Kind regards,
Hendrik

-----Original Message-----
Can you provide an example of what type of attribute

you
would like to be

set? Some can be set at request time, some can be set

at
submission time. and
confers no rights.

http://support.microsoft.com

"Hendrik Brockhaus" <[email protected]>

wrote
in message

How can I set additional attributes in the certrqma.asp
web page for certificates to be issued by a Microsoft
Windows 2000 CA (either stand-alone or enterprise)?



.

.

 

[David Cross [MS]]

I am checking to see if this can be done with a windows 2000 CA. This is
definately supported in Windows Server 2003 - see doc for more info:

Operations guide -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/ws03pkog.asp


--
David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Thanks David for your reply, but I am sorry
the "SNA:dns=foo.bar" string in the Advanced Certificate
Request web page (in the Attributes text box) of my
Windows 2000 CA (stand-alone and enterprise) did not work.

Best Regards,
Hendrik

-----Original Message-----
Yes, this can be done: specify "SAN:dns=foo.bar" as a request attribute in
the Additional Attributes text.

For key usage, this has to be defined by the CA template:

Cert templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver 2003/deploy/confeat/ws03crtm.asp





--
David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hello David,

As an example I would like to issue certificates with a
SubjectAlternativeName of the type DNSname and I would
like to input the DNS name value somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the SubjectAltName
request data in that box. Is that the only way to do it?
What kind of information can I provide in what format in
that box?
How can I provide a KeyUsage attribute and set it critical?

Kind regards,
Hendrik

-----Original Message-----
Can you provide an example of what type of attribute you
would like to be
set? Some can be set at request time, some can be set at
submission time.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and
confers no rights.

http://support.microsoft.com

in message
How can I set additional attributes in the certrqma.asp
web page for certificates to be issued by a Microsoft
Windows 2000 CA (either stand-alone or enterprise)?



.

.

 

[Vishal Agarwal[MSFT]]

Hi,
You also need to do
certutil -setreg policy\EditFlags EDITF_ATTRIBUTESUBJECTALTNAME2

And, for subject RDNs in request attributes, you may need to enable the
following:

certutil -setreg ca\CRLFlags CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

on the CA and then restart the CA.

After that submit the request again.

Thanks,
Vishal[MSFT]

--
This posting is provided "AS IS" with no warranties, and confers no rights

Hello Vishal,

As an example I would like to issue certificates by a
Windows 2000 CA (stand-alone or enterprise) with a
KeyUsage attribute and set it critical and I would like to
input the key usage values somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the KeyUsage request
data in that box. Is that the only way to do it? What kind
of information can I provide in what format in that box?

As a second example I would like to issue certificates by
a Windows 2000 CA (stand-alone or enterprise) with a
SubjectAltName of the type DNSname and I would like to
input the DNS name value somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the SubjectAltName
request data in that box. Is that the only way to do it?
What kind of information can I provide in what format in
that box?
David B. Cross [MS] already gave me the information to set
the SubjectAltName as "SAN:dns=foo.bar", but this does
neither work with my Windows 2000 stand-alone nor with my
Windows 2000 enterprise CA.

Can you help?

Kind regards,
Hendrik

-----Original Message-----
What additional attributes you are interested in putting in the certificate?

Thanks,
Vishal[MSFT]

--
This posting is provided "AS IS" with no warranties, and confers no rights

How can I set additional attributes in the certrqma.asp
web page for certificates to be issued by a Microsoft
Windows 2000 CA (either stand-alone or enterprise)?

.

 

[Hendrik Brockhaus]

Hi Vishal,

Thanks for you answer.
As I mentioned I work on a Windows 2000 CA and tried to
set the policy flag as you mentioned, but it did not work.

C:\>certutil -setreg policy\EditFlags
EDITF_ATTRIBUTESUBJECTALTNAME2
RCC 1 root
CA\PolicyModules\CertificateAuthority_MicrosoftDefault.Poli
cy\EditFlags:

Old Value:
EditFlags REG_DWORD = 1bee (7150)
EDITF_REQUESTEXTENSIONLIST
EDITF_DISABLEEXTENSIONLIST
EDITF_ADDOLDKEYUSAGE
EDITF_ATTRIBUTEENDDATE
EDITF_BASICCONSTRAINTSCRITICAL
EDITF_BASICCONSTRAINTSCA
EDITF_ENABLEAKIKEYID
EDITF_ATTRIBUTECA
EDITF_ENABLEAKIISSUERNAME
EDITF_ENABLEAKIISSUERSERIAL
CertUtil: -setreg command FAILED: 0x8007000d (WIN32: 13)
CertUtil: The data is invalid.

Is it possible that this only works for Windows 2003
Server? How to do it on a Windows 2000 Server and what
about the KeyUsage?

Best Regards,
Hendrik

-----Original Message-----
Hi,
You also need to do
certutil -setreg policy\EditFlags EDITF_ATTRIBUTESUBJECTALTNAME2

And, for subject RDNs in request attributes, you may need to enable the
following:

certutil -setreg ca\CRLFlags CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

on the CA and then restart the CA.

After that submit the request again.

Thanks,
Vishal[MSFT]

--
This posting is provided "AS IS" with no warranties, and confers no rights

Hello Vishal,

As an example I would like to issue certificates by a
Windows 2000 CA (stand-alone or enterprise) with a
KeyUsage attribute and set it critical and I would like to
input the key usage values somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the KeyUsage request
data in that box. Is that the only way to do it? What kind
of information can I provide in what format in that box?

As a second example I would like to issue certificates by
a Windows 2000 CA (stand-alone or enterprise) with a
SubjectAltName of the type DNSname and I would like to
input the DNS name value somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the SubjectAltName
request data in that box. Is that the only way to do it?
What kind of information can I provide in what format in
that box?
David B. Cross [MS] already gave me the information to set
the SubjectAltName as "SAN:dns=foo.bar", but this does
neither work with my Windows 2000 stand-alone nor with my
Windows 2000 enterprise CA.

Can you help?

Kind regards,
Hendrik

-----Original Message-----
What additional attributes you are interested in

putting
in the certificate?

Thanks,
Vishal[MSFT]

and
confers no rights

"Hendrik Brockhaus" <[email protected]>

wrote
in message

How can I set additional attributes in the certrqma.asp
web page for certificates to be issued by a Microsoft
Windows 2000 CA (either stand-alone or enterprise)?



.

.

 

[Hendrik Brockhaus]

Thanks David, it would be great if you could find out how
to do this win a Windows 2000 CA.

Best regards,
Hendrik

-----Original Message-----
I am checking to see if this can be done with a windows 2000 CA. This is
definately supported in Windows Server 2003 - see doc for more info:

Operations guide -
http://www.microsoft.com/technet/prodtechnol/windowsserver 2003/maintain/operate/ws03pkog.asp


--
David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Thanks David for your reply, but I am sorry
the "SNA:dns=foo.bar" string in the Advanced Certificate
Request web page (in the Attributes text box) of my
Windows 2000 CA (stand-alone and enterprise) did not work.

Best Regards,
Hendrik

-----Original Message-----
Yes, this can be done: specify "SAN:dns=foo.bar" as a request attribute in
the Additional Attributes text.

For key usage, this has to be defined by the CA template:

Cert templates -

http://www.microsoft.com/technet/prodtechnol/windowsserver

2003/deploy/confeat/ws03crtm.asp

and
confers no rights.

http://support.microsoft.com

"Hendrik Brockhaus" <[email protected]>

wrote
in message

Hello David,

As an example I would like to issue certificates with a
SubjectAlternativeName of the type DNSname and I would
like to input the DNS name value somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the SubjectAltName
request data in that box. Is that the only way to do it?
What kind of information can I provide in what format in
that box?
How can I provide a KeyUsage attribute and set it critical?

Kind regards,
Hendrik

-----Original Message-----
Can you provide an example of what type of attribute you
would like to be
set? Some can be set at request time, some can be

set
at

submission time.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and
confers no rights.

http://support.microsoft.com

in message
How can I set additional attributes in the certrqma.asp
web page for certificates to be issued by a Microsoft
Windows 2000 CA (either stand-alone or enterprise)?



.



.

.

 

[Vishal Agarwal[MSFT]]

Sorry, this is not supported on Win2000. Neither is Modifying KeyUsage
supported on Win2000.

Thanks,
Vishal[MSFT]

--
This posting is provided "AS IS" with no warranties, and confers no rights

Hi Vishal,

Thanks for you answer.
As I mentioned I work on a Windows 2000 CA and tried to
set the policy flag as you mentioned, but it did not work.

C:\>certutil -setreg policy\EditFlags
EDITF_ATTRIBUTESUBJECTALTNAME2
RCC 1 root
CA\PolicyModules\CertificateAuthority_MicrosoftDefault.Poli
cy\EditFlags:

Old Value:
EditFlags REG_DWORD = 1bee (7150)
EDITF_REQUESTEXTENSIONLIST
EDITF_DISABLEEXTENSIONLIST
EDITF_ADDOLDKEYUSAGE
EDITF_ATTRIBUTEENDDATE
EDITF_BASICCONSTRAINTSCRITICAL
EDITF_BASICCONSTRAINTSCA
EDITF_ENABLEAKIKEYID
EDITF_ATTRIBUTECA
EDITF_ENABLEAKIISSUERNAME
EDITF_ENABLEAKIISSUERSERIAL
CertUtil: -setreg command FAILED: 0x8007000d (WIN32: 13)
CertUtil: The data is invalid.

Is it possible that this only works for Windows 2003
Server? How to do it on a Windows 2000 Server and what
about the KeyUsage?

Best Regards,
Hendrik

-----Original Message-----
Hi,
You also need to do
certutil -setreg policy\EditFlags EDITF_ATTRIBUTESUBJECTALTNAME2

And, for subject RDNs in request attributes, you may need to enable the
following:

certutil -setreg ca\CRLFlags CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

on the CA and then restart the CA.

After that submit the request again.

Thanks,
Vishal[MSFT]

--
This posting is provided "AS IS" with no warranties, and confers no rights

Hello Vishal,

As an example I would like to issue certificates by a
Windows 2000 CA (stand-alone or enterprise) with a
KeyUsage attribute and set it critical and I would like to
input the key usage values somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the KeyUsage request
data in that box. Is that the only way to do it? What kind
of information can I provide in what format in that box?

As a second example I would like to issue certificates by
a Windows 2000 CA (stand-alone or enterprise) with a
SubjectAltName of the type DNSname and I would like to
input the DNS name value somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the SubjectAltName
request data in that box. Is that the only way to do it?
What kind of information can I provide in what format in
that box?
David B. Cross [MS] already gave me the information to set
the SubjectAltName as "SAN:dns=foo.bar", but this does
neither work with my Windows 2000 stand-alone nor with my
Windows 2000 enterprise CA.

Can you help?

Kind regards,
Hendrik

-----Original Message-----
What additional attributes you are interested in putting
in the certificate?

Thanks,
Vishal[MSFT]

--
This posting is provided "AS IS" with no warranties, and
confers no rights
in message
How can I set additional attributes in the certrqma.asp
web page for certificates to be issued by a Microsoft
Windows 2000 CA (either stand-alone or enterprise)?



.

.

 

[Hendrik Brockhaus]

That's a pity!

Thanks,
Hendrik

-----Original Message-----
Sorry, this is not supported on Win2000. Neither is Modifying KeyUsage
supported on Win2000.

Thanks,
Vishal[MSFT]

--
This posting is provided "AS IS" with no warranties, and confers no rights

Hi Vishal,

Thanks for you answer.
As I mentioned I work on a Windows 2000 CA and tried to
set the policy flag as you mentioned, but it did not work.

C:\>certutil -setreg policy\EditFlags
EDITF_ATTRIBUTESUBJECTALTNAME2
RCC 1 root
CA\PolicyModules\CertificateAuthority_MicrosoftDefault.Poli
cy\EditFlags:

Old Value:
EditFlags REG_DWORD = 1bee (7150)
EDITF_REQUESTEXTENSIONLIST
EDITF_DISABLEEXTENSIONLIST
EDITF_ADDOLDKEYUSAGE
EDITF_ATTRIBUTEENDDATE
EDITF_BASICCONSTRAINTSCRITICAL
EDITF_BASICCONSTRAINTSCA
EDITF_ENABLEAKIKEYID
EDITF_ATTRIBUTECA
EDITF_ENABLEAKIISSUERNAME
EDITF_ENABLEAKIISSUERSERIAL
CertUtil: -setreg command FAILED: 0x8007000d (WIN32: 13)
CertUtil: The data is invalid.

Is it possible that this only works for Windows 2003
Server? How to do it on a Windows 2000 Server and what
about the KeyUsage?

Best Regards,
Hendrik

-----Original Message-----
Hi,
You also need to do
certutil -setreg policy\EditFlags EDITF_ATTRIBUTESUBJECTALTNAME2

And, for subject RDNs in request attributes, you may

need
to enable the

following:

certutil -setreg ca\CRLFlags CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

on the CA and then restart the CA.

After that submit the request again.

Thanks,
Vishal[MSFT]

and
confers no rights

"Hendrik Brockhaus" <[email protected]>

wrote
in message

Hello Vishal,

As an example I would like to issue certificates by a
Windows 2000 CA (stand-alone or enterprise) with a
KeyUsage attribute and set it critical and I would

like
to

input the key usage values somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the KeyUsage request
data in that box. Is that the only way to do it? What kind
of information can I provide in what format in that box?

As a second example I would like to issue

certificates
by

a Windows 2000 CA (stand-alone or enterprise) with a
SubjectAltName of the type DNSname and I would like to
input the DNS name value somewhere in the Advanced
Certificate Request web page.
In the Advanced Certificate Request web page there is the
Attributes text box in the Additional Options part of the
page. My idea was to somehow input the SubjectAltName
request data in that box. Is that the only way to do it?
What kind of information can I provide in what format in
that box?
David B. Cross [MS] already gave me the information

to
set

the SubjectAltName as "SAN:dns=foo.bar", but this does
neither work with my Windows 2000 stand-alone nor

with
my

Windows 2000 enterprise CA.

Can you help?

Kind regards,
Hendrik

-----Original Message-----
What additional attributes you are interested in putting
in the certificate?

Thanks,
Vishal[MSFT]

--
This posting is provided "AS IS" with no warranties, and
confers no rights
in message
How can I set additional attributes in the certrqma.asp
web page for certificates to be issued by a Microsoft
Windows 2000 CA (either stand-alone or enterprise)?



.



.

.