5

I am trying to figure out how to do Qualified Subordination with the critical extension set, but I'm unable to figure out how to do this in MSFT AD CS.

For a given certificate, how do I make sure that the name constraints are set appropriately on the issued cert?

Edit

Work done so far (see edit history for more work done):

I installed a sub CA here following these directions.

The name constraints are configured in one of two locations. When creating a new CA, you can define name constraints for that CA by configuring CAPolicy.inf to impose name constraints. Likewise, if you are creating a qualified subordinate CA certificate, you would define name constraints in the Policy.inf file. In both cases, the following syntax is used:

[NameConstraintsExtension]
Include = NameConstraintsPermitted
Exclude = NameConstraintsExcluded
Critical = TrUe

[NameConstraintsPermitted]
DNS = ""
email=""
UPN=""

[NameConstraintsExcluded]
DNS = .nwtraders.com
email = @nwtraders.com
UPN = .nwtraders.com
UPN = @nwtraders.com
URI = ftp://.nwtraders.com
DIRECTORYNAME = "DC=NWtraders, DC=com"

My capolicy.inf on the subCA is this

[Version]
Signature="$Windows NT$"

[PolicyStatementExtension]
Policies=LegalPolicy

[LegalPolicy]
OID=1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://pki.bitclear.us/pki/cps.txt

[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
LoadDefaultTemplates=0
AlternateSignatureAlgorithm=1
# ForceUTF8=0 

[CRLDistributionPoint] 
Empty=True

[AuthorityInformationAccess] 
Empty=True

[BasicConstraintsExtension] 
PathLength=1 
Critical=Yes

[NameConstraintsExtension]
Include = NameConstraintsPermitted
Exclude = NameConstraintsExcluded
Critical = True

[NameConstraintsPermitted]
DirectoryName = "DC=gg, DC=Com"
email = @gg.com
UPN = .gg.com
UPN = @gg.com


#[EnhancedKeyUsageExtension] 
#OID=1.3.6.1.5.5.7.3.4        ; Secure Email 
#OID=1.3.6.1.4.1.311.20.2.2    ; Smart Card Logon 
#Critical=No
# on a sub CA do this: Certutil –setreg Policy\CAPathLength 2

my policy.inf on the SubCA and rootCA is this

[Version]
Signature= "$Windows NT$"

[RequestAttributes]
CertificateTemplate = SubCA

[PolicyStatementExtension]
Policies = HighAssurancePolicy, MediumAssurancePolicy, LowAssurancePolicy
CRITICAL = FALSE

[HighAssurancePolicy]
OID = 1.3.6.1.4.1.311.21.8.2473717464.1095930238.502626717.506190032.1.402

[MediumAssurancePolicy]
OID = 1.3.6.1.4.1.311.21.8.2473717464.1095930238.502626717.506190032.1.401

[LowAssurancePolicy]
OID = 1.3.6.1.4.1.311.21.8.2473717464.1095930238.502626717.506190032.1.400

[NameConstraintsExtension]
Include = NameConstraintsPermitted
Exclude = NameConstraintsExcluded
Critical = True

[NameConstraintsPermitted]
DirectoryName = "DC=g, DC=Com"
email = @g.com
UPN = .g.com
UPN = @g.com

[NameConstraintsExcluded]

No matter how many times I restart the subCA, or reinstall the subCA, or restart the rootCA I'm unable to get a name restriction visible in the request from the subCA (via certutil - dump) or when I view the certificate that is issued in the MMC.

I know this is possible because a dump with name constraints is available here

makerofthings7
  • 8,821
  • 28
  • 115
  • 196

1 Answers1

1

Microsoft just posted this article on how to use Name Constraints with AD CS

To apply a name constraint to a pending policy run the following command

Certreq -policy originalrequest.req policy.inf modifiedrequest.req

originalrequest.req – the original request file provided by the subordinate to the parent CA

policy.inf - The policy file containing the settings you want to be applied to the request

modifiedrequest.inf - This is the output file that will contain the original request and has been modified by the policy. This file will be supplied to the parent CA instead of the originalrequest.req

makerofthings7
  • 8,821
  • 28
  • 115
  • 196