In some scenarios, you want to generate a custom subCA certificate which can actually issue (smart card) certificates for users in a domain. It gets more complex however when the Certificate Authority is a Microsoft Windows Server which is not joined to the (same) Microsoft Windows domain.
You might see similar behavior:
- While other export options are available, the option to export as Personal Information Exchange – PKCS #12 (.pfx) is greyed out. (Machine was not domain joined).
- In the Certificate Manager in Microsoft Windows, there is no small “key” visible in the certificate’s icon.
The workaround is to create a .inf file for the certificate request. The instructions below were tested on a Microsoft Windows Server 2022 DataCenter at the time of writing.
Inf file:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=SomeSubCA"
Exportable = True
MachineKeySet = True
KeyLength = 4096
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
[Extensions]
2.5.29.15 = AwIBhg==
2.5.29.19 = "{text}ca=1&pathlength=0"
Critical = 2.5.29.15
The next issue you might run into, is that the generated certificate can not be exported due to “old key usage”.
Now, to make sure “KeyUsage” can be marked as critical, enable this flag:
PS C:\users\jeffrey_bostoen\Desktop> & certutil.exe -setreg policy\EditFlags +EDITF_ADDOLDKEYUSAGETo restore the original value:
PS C:\users\jeffrey_bostoen\Desktop> & certutil.exe -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE⚠️ Forget “+” in front of EDITF_ADDOLDKEYUSAGE and the updated value will just contain one single flag, as you can see below.
PS C:\users\jeffrey_bostoen\Desktop> & certutil.exe -setreg policy\EditFlags EDITF_ADDOLDKEYUSAGE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\JB-WIN-STANDALO-CA\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:
Old Value:
EditFlags REG_DWORD = 83ee (33774)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ADDOLDKEYUSAGE -- 8
EDITF_ATTRIBUTEENDDATE -- 20 (32)
EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
EDITF_BASICCONSTRAINTSCA -- 80 (128)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ATTRIBUTECA -- 200 (512)
EDITF_ATTRIBUTEEKU -- 8000 (32768)
New Value:
EditFlags REG_DWORD = 8
EDITF_ADDOLDKEYUSAGE -- 8
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.Afterwards, reset the defaults:
PS C:\users\jeffrey_bostoen\Desktop> & certutil.exe -setreg policy\EditFlags 83ee
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\JB-WIN-STANDALO-CA\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:
Old Value:
EditFlags REG_DWORD = 0
CertUtil: -setreg command FAILED: 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)
CertUtil: The data is invalid.
PS C:\users\jeffrey_bostoen\Desktop> & certutil.exe -setreg policy\EditFlags 0x83ee
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\JB-WIN-STANDALO-CA\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:
Old Value:
EditFlags REG_DWORD = 0
New Value:
EditFlags REG_DWORD = 83ee (33774)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ADDOLDKEYUSAGE -- 8
EDITF_ATTRIBUTEENDDATE -- 20 (32)
EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
EDITF_BASICCONSTRAINTSCA -- 80 (128)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ATTRIBUTECA -- 200 (512)
EDITF_ATTRIBUTEEKU -- 8000 (32768)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.
For troubleshooting purposes, this is what I’m looking at to know that it was enabled:
EditFlags REG_DWORD = 83ee (33774)
33774 indicates that all of the values listed underneath were enabled, including this line:
EDITF_ADDOLDKEYUSAGE — 8
Source: How to make key extension critical in ADCS issued CA certificates (microsoft.com)