Discussion:
How to create a root CA cert and code signing cert without a CRLs?
(too old to reply)
Pieter
2004-07-06 02:01:50 UTC
Permalink
For internal testing purposes we sign development builds with a test
authenticode certificate pointing to a test CA instead of our real Verisign
certificate.

The test CA certificate was created by the certificate services install
wizard while installing on a 2K3 box.
The test code signing certificate was generated using the test CA and
certificate services on the 2K3 box.
Both the CA and code signing cert contain CRL entries.

I do not want the CA certificate or the code signing certificate to contain
CRLs.

I have experimented with makecert.exe,
but I would really like pointers to good online documentation describing
more than the mekecert command line arguments, especially in generating and
installing a custom CA in a certificicate services environment.

Specific questions:
1) One I create a test CA without a CRL, how do I repalce the root CA
installed on the certificate services box?
2) Is there an easy way to clone an exisitng certificate, CA or code
signing, and use the parameters as a basis for my own certificate (minus the
CRLs)?

Any help is appreciated.

Pieter
Lars Olaussen
2004-07-06 08:30:25 UTC
Permalink
Post by Pieter
For internal testing purposes we sign development builds with a test
authenticode certificate pointing to a test CA instead of our real Verisign
certificate.
The test CA certificate was created by the certificate services install
wizard while installing on a 2K3 box.
The test code signing certificate was generated using the test CA and
certificate services on the 2K3 box.
Both the CA and code signing cert contain CRL entries.
I do not want the CA certificate or the code signing certificate to contain
CRLs.
I have experimented with makecert.exe,
but I would really like pointers to good online documentation
describing
Post by Pieter
more than the mekecert command line arguments, especially in
generating and
Post by Pieter
installing a custom CA in a certificicate services environment.
1) One I create a test CA without a CRL, how do I repalce the root CA
installed on the certificate services box?
2) Is there an easy way to clone an exisitng certificate, CA or code
signing, and use the parameters as a basis for my own certificate (minus the
CRLs)?
Pieter,

To generate a CA certificate without CRL/AIA information, you must
specify this in the capolify.inf file stored in C:\Windows. More
information about this file is provided here:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dssch_pki_pjnc.asp

An example of capolicy.inf
---------------------------
[Version]
Signature="$Windows NT$"

[CAPolicy]
Policies=LegalPolicy

[LegalPolicy]
OID=1.1.1.1.1.1.1.1.1
URL = "http://http.microsoft.com/somewhere/default.asp"
Notice = "Legal policy statement text."

[CRLDistributionPoint]
Empty=true

[AuthorityInformationAccess]
Empty=true

[basicconstraintsextension]
pathlength=3
critical=True

[Extensions]
2.5.29.15 = AwIBBg==
Critical = 2.5.29.15
---------------------------

The two statements "Empty=true2 removes the CRL and AIA pointers.
The last extension (2.5.29.15) sets the keyUsage extension to
digitalSignature and cRLSigning only, and marks the key usage as
critical.

If you do not want cRLSigning either, you can replace "2.5.29.15 =
AwIBBg==" with "2.5.29.15 = AwIBBB=="

To add/change information in the EE certificates, you can do this by
using:

certutil.exe -setextension

Running this command without any parameters will give you the syntax to
use. If you want to remove the 'nonRepudiation' keyUsage that MS puts in
Code Sign certifcates using the web enrollment page, then input a file
with the text "03 02 04 80", to this command:

certutil.exe -setextension <RequestID> 2.5.29.15 1 @filename.txt

This will set the certificate keyUsage to digitalSignature only, marked
critical.

If you want to add other information, you can extract information from
another certificate by using

certutil.exe -v <certificate.file>

and copy the HEX encoded information to a file (similar to keyUsage
mentioned just above) and input this with certutil -setextension. Just
remember to set the correct OID and criticality.

To remove the CRL/AIA information in the EE certificates, open the CA
GUI, choose CA Properties, Extensions, and delete all entries under CRL
and AIA expcept the top of the list in each list.

I hope this provided enough information to perform your tests. If not,
do not hesitate to post follow-ups.


Regards,
Lars Olaussen
***@hotmail.com
Pieter
2004-07-09 03:43:17 UTC
Permalink
Lars

Thanks, I will try it, and the links are very good.

Pieter
Post by Pieter
Post by Pieter
For internal testing purposes we sign development builds with a test
authenticode certificate pointing to a test CA instead of our real
Verisign
Post by Pieter
certificate.
The test CA certificate was created by the certificate services
install
Post by Pieter
wizard while installing on a 2K3 box.
The test code signing certificate was generated using the test CA and
certificate services on the 2K3 box.
Both the CA and code signing cert contain CRL entries.
I do not want the CA certificate or the code signing certificate to
contain
Post by Pieter
CRLs.
I have experimented with makecert.exe,
but I would really like pointers to good online documentation
describing
Post by Pieter
more than the mekecert command line arguments, especially in
generating and
Post by Pieter
installing a custom CA in a certificicate services environment.
1) One I create a test CA without a CRL, how do I repalce the root CA
installed on the certificate services box?
2) Is there an easy way to clone an exisitng certificate, CA or code
signing, and use the parameters as a basis for my own certificate
(minus the
Post by Pieter
CRLs)?
Pieter,
To generate a CA certificate without CRL/AIA information, you must
specify this in the capolify.inf file stored in C:\Windows. More
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dssch_pki_pjnc.asp
Post by Pieter
An example of capolicy.inf
---------------------------
[Version]
Signature="$Windows NT$"
[CAPolicy]
Policies=LegalPolicy
[LegalPolicy]
OID=1.1.1.1.1.1.1.1.1
URL = "http://http.microsoft.com/somewhere/default.asp"
Notice = "Legal policy statement text."
[CRLDistributionPoint]
Empty=true
[AuthorityInformationAccess]
Empty=true
[basicconstraintsextension]
pathlength=3
critical=True
[Extensions]
2.5.29.15 = AwIBBg==
Critical = 2.5.29.15
---------------------------
The two statements "Empty=true2 removes the CRL and AIA pointers.
The last extension (2.5.29.15) sets the keyUsage extension to
digitalSignature and cRLSigning only, and marks the key usage as
critical.
If you do not want cRLSigning either, you can replace "2.5.29.15 =
AwIBBg==" with "2.5.29.15 = AwIBBB=="
To add/change information in the EE certificates, you can do this by
certutil.exe -setextension
Running this command without any parameters will give you the syntax to
use. If you want to remove the 'nonRepudiation' keyUsage that MS puts in
Code Sign certifcates using the web enrollment page, then input a file
This will set the certificate keyUsage to digitalSignature only, marked
critical.
If you want to add other information, you can extract information from
another certificate by using
certutil.exe -v <certificate.file>
and copy the HEX encoded information to a file (similar to keyUsage
mentioned just above) and input this with certutil -setextension. Just
remember to set the correct OID and criticality.
To remove the CRL/AIA information in the EE certificates, open the CA
GUI, choose CA Properties, Extensions, and delete all entries under CRL
and AIA expcept the top of the list in each list.
I hope this provided enough information to perform your tests. If not,
do not hesitate to post follow-ups.
Regards,
Lars Olaussen
Yan-Hong Huang[MSFT]
2004-07-09 02:43:56 UTC
Permalink
Hello Pieter,

Lars's reply is quite detailed. Do you still have any more concerns on this
issue? If there are any more questions, please feel free to post here.

Thanks very much.

Best regards,
Yanhong Huang
Microsoft Community Support
Michel Gallant
2004-07-09 12:23:08 UTC
Permalink
Using makecert.exe (W2k Pro ...), here are commands to generate
a 1024 bit root self-signed CA cert and a test client (for code-signing) cert signed
by that test root CA cert. Both certs are marked as exportable:

----- Generate the root CA cert ------
makecert -pe -r -cy authority -ss MY -sp "Microsoft Enhanced Cryptographic Provider v1.0" -n "CN=Your Test CA, OU=Security"

----- Generate the client cert and sign with above root CA cert -------
makecert -nscp -pe -is MY -e 10/30/2005 -in "Your Test CA" -sp "Microsoft Enhanced Cryptographic Provider v1.0" -n "CN=Test Client,
OU=Security" -ss MY -eku 1.3.6.1.5.5.7.3.3


The root CA cert is then exported and the public certificate (without private key) is
reimported to trusted ROOT cert store (either LM or CU).

- Mitch Gallant
MVP Security
www.jensign.com
Post by Pieter
For internal testing purposes we sign development builds with a test
authenticode certificate pointing to a test CA instead of our real Verisign
certificate.
The test CA certificate was created by the certificate services install
wizard while installing on a 2K3 box.
The test code signing certificate was generated using the test CA and
certificate services on the 2K3 box.
Both the CA and code signing cert contain CRL entries.
I do not want the CA certificate or the code signing certificate to contain
CRLs.
I have experimented with makecert.exe,
but I would really like pointers to good online documentation describing
more than the mekecert command line arguments, especially in generating and
installing a custom CA in a certificicate services environment.
1) One I create a test CA without a CRL, how do I repalce the root CA
installed on the certificate services box?
2) Is there an easy way to clone an exisitng certificate, CA or code
signing, and use the parameters as a basis for my own certificate (minus the
CRLs)?
Any help is appreciated.
Pieter
Loading...