HowTo: Set the AKI extension field for serial and issuer name


Another post from


“We have a Windows2003 box which is currently issuing certificates with an

Authority Key Identifier extension with a KeyID only (i.e. KeyID=ed 2a 47 a4

e9 09 5a ec 9e 51 1a 81 04 58 78 87 61 3f 94 fc).


How do we add the IsserName and IssuerSerial number to the AKI field?


Note: the certutil “-setreg policy\EditFlags +EDITF_ENABLEAKIISSUERSERIAL”


“certutil -setreg policy\EditFlags +EDITF_ENABLEAKIISSUERNAME” fail to add

these fields to the issued certificates. “



For a Windows 2003 CA you also need to set the following:


certutil -setreg ca\CRLEditFlags +EDITF_ENABLEAKIISSUERNAME



The first  one  (certutil -setreg ca\CRLEditFlags)  will enable the CA to generate the extension with these fields populated.

The second  one  (certutil “-setreg policy\EditFlags) will tell the policy module to leave the fields in the extension







  • My posts seem to vary in text size…. one day Ill figure this out.
  • My URL links dont show up as links when viewed from the main page – I noticed some folks do show up right.. one day Ill figure this out too.
  • It would be really cool if I could search within  — say I only wanted hits from within these blogs.


Comments (0)