HowTo: (PKI) Specify CERT_KEY_AGREEMENT_KEY_USAGE and CERT_KEY_ENCIPHERMENT_KEY_USAGE at the same time.

  • Article

 When you request Key Encipherment and Key Agreement in the key usage - we strip off the Key Agreement flag by default.

Here are the available flags:

#define CERT_DIGITAL_SIGNATURE_KEY_USAGE 0x80
#define CERT_NON_REPUDIATION_KEY_USAGE 0x40
#define CERT_KEY_ENCIPHERMENT_KEY_USAGE 0x20
#define CERT_DATA_ENCIPHERMENT_KEY_USAGE 0x10
#define CERT_KEY_AGREEMENT_KEY_USAGE 0x08
#define CERT_KEY_CERT_SIGN_KEY_USAGE 0x04
#define CERT_OFFLINE_CRL_SIGN_KEY_USAGE 0x02
#define CERT_CRL_SIGN_KEY_USAGE 0x02
#define CERT_ENCIPHER_ONLY_KEY_USAGE 0x01

If you dump the request before you submit it, via "certutil -dump request.csr" you will see it has the proper flags in the request.

2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement (b8)

 

However, once you submit it and view the properties you will see it has changed.

certutil -view -restrict requestid=5 -v -out ext:2.5.29.15

Row 1:
Certificate Extensions:
2.5.29.15: Flags = 20000(Origin=Policy), Length = 4
Key Usage
Digital Signature, Key Encipherment, Data Encipherment (b0)

    0000 03 02 04 b0 ....

How can we avoid this?

You remove the flags on the policy module as follows:

certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE

SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\spatula\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:
 

Old Value:
EditFlags REG_DWORD = 83ee (33774)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ADDOLDKEYUSAGE -- 8
EDITF_ATTRIBUTEENDDATE -- 20 (32)
EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
EDITF_BASICCONSTRAINTSCA -- 80 (128)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ATTRIBUTECA -- 200 (512)
EDITF_ATTRIBUTEEKU -- 8000 (32768)

New Value:
EditFlags REG_DWORD = 83e6 (33766)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ATTRIBUTEENDDATE -- 20 (32)
EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
EDITF_BASICCONSTRAINTSCA -- 80 (128)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ATTRIBUTECA -- 200 (512)
EDITF_ATTRIBUTEEKU -- 8000 (32768)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect

 

Thanks to my colleague Jonathan Stephens for the tip.. ;)

-spat