HowTo: Set the AKI extension field for serial and issuer name

  • Article

Another post from

https://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2005-02/0189.html

“We have a Windows2003 box which is currently issuing certificates with an

Authority Key Identifier extension with a KeyID only (i.e. KeyID=ed 2a 47 a4

e9 09 5a ec 9e 51 1a 81 04 58 78 87 61 3f 94 fc).

How do we add the IsserName and IssuerSerial number to the AKI field?

Note: the certutil "-setreg policy\EditFlags +EDITF_ENABLEAKIISSUERSERIAL"

and

"certutil -setreg policy\EditFlags +EDITF_ENABLEAKIISSUERNAME" fail to add

these fields to the issued certificates. “

ANSWER:

For a Windows 2003 CA you also need to set the following:

certutil -setreg ca\CRLEditFlags +EDITF_ENABLEAKIISSUERNAME

certutil -setreg ca\CRLEditFlags +EDITF_ENABLEAKIISSUERSERIAL

The first one (certutil -setreg ca\CRLEditFlags) will enable the CA to generate the extension with these fields populated.

The second one (certutil "-setreg policy\EditFlags) will tell the policy module to leave the fields in the extension

 

 

Spat

 

PS:

  • My posts seem to vary in text size.... one day Ill figure this out.

  • My URL links dont show up as links when viewed from the main blogs.msdn.com page - I noticed some folks do show up right.. one day Ill figure this out too.

  • It would be really cool if I could search within blogs.msdn.com -- say I only wanted hits from within these blogs.