HowTo: (PKI) Specify CERT_KEY_AGREEMENT_KEY_USAGE and CERT_KEY_ENCIPHERMENT_KEY_USAGE at the same time.


 When you request  Key Encipherment and Key Agreement  in the key usage – we strip off the Key Agreement  flag by default.


Here are the available flags:


#define CERT_DIGITAL_SIGNATURE_KEY_USAGE         0x80
#define CERT_NON_REPUDIATION_KEY_USAGE           0x40
#define CERT_KEY_ENCIPHERMENT_KEY_USAGE      0x20
#define CERT_DATA_ENCIPHERMENT_KEY_USAGE     0x10
#define CERT_KEY_AGREEMENT_KEY_USAGE            0x08
#define CERT_KEY_CERT_SIGN_KEY_USAGE              0x04
#define CERT_OFFLINE_CRL_SIGN_KEY_USAGE          0x02
#define CERT_CRL_SIGN_KEY_USAGE                         0x02
#define CERT_ENCIPHER_ONLY_KEY_USAGE              0x01


If you dump the request before you submit it, via “certutil -dump request.csr” you will see it has the proper flags in the request.



2.5.29.15: Flags = 0, Length = 4
 Key Usage
     Digital Signature, Key Encipherment, Data Encipherment, Key Agreement (b8)


 


However, once you submit it and view the properties you will see it has changed.


certutil -view -restrict requestid=5 -v -out ext:2.5.29.15



Row 1:
  Certificate Extensions:
    2.5.29.15: Flags = 20000(Origin=Policy), Length = 4
    Key Usage
        Digital Signature, Key Encipherment, Data Encipherment (b0)


    0000  03 02 04 b0                                        ….


How can we avoid this?


You remove the flags  on the policy module as follows:


certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE



SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\spatula\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:
 


Old Value:
  EditFlags REG_DWORD = 83ee (33774)
    EDITF_REQUESTEXTENSIONLIST — 2
    EDITF_DISABLEEXTENSIONLIST — 4
    EDITF_ADDOLDKEYUSAGE — 8
    EDITF_ATTRIBUTEENDDATE — 20 (32)
    EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
    EDITF_BASICCONSTRAINTSCA — 80 (128)
    EDITF_ENABLEAKIKEYID — 100 (256)
    EDITF_ATTRIBUTECA — 200 (512)
    EDITF_ATTRIBUTEEKU — 8000 (32768)



New Value:
  EditFlags REG_DWORD = 83e6 (33766)
    EDITF_REQUESTEXTENSIONLIST — 2
    EDITF_DISABLEEXTENSIONLIST — 4
    EDITF_ATTRIBUTEENDDATE — 20 (32)
    EDITF_BASICCONSTRAINTSCRITICAL — 40 (64)
    EDITF_BASICCONSTRAINTSCA — 80 (128)
    EDITF_ENABLEAKIKEYID — 100 (256)
    EDITF_ATTRIBUTECA — 200 (512)
    EDITF_ATTRIBUTEEKU — 8000 (32768)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect


 


Thanks to my colleague Jonathan Stephens for the tip.. 😉


-spat


 

Comments (1)

  1. Luciano says:

    This is not clear AT ALL. Where are these flags defined ? What does removing that entry implies ? How can I change the key Usage from b8 to 0x06 ?