Steps to reproduce
We have a .csr with the following:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Actual results
PKIAAS delivers a .crt with the following:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
As a result, we can’t use our ADCS based intermediate CA:
certreq -config testad-adcs-03.test.local\pp-ca-int-iot -submit testad-adcs-ra3-web2.csr
Identifiant de requête : 14
IDDemande : « 14 »
Certificat non délivrés (Refusé) Erreur de création ou de publication du certificat Le certificat n’est pas valide pour l’usage requis. 0x800b0110 (-2146762480 CERT_E_WRONG_USAGE)
Processeur de demande de certificat: Le certificat n’est pas valide pour l’usage requis. 0x800b0110 (-2146762480 CERT_E_WRONG_USAGE)
Erreur de création ou de publication du certificat
Expected results
The delivered certificate has the Certificate Sign and CRL Sign bits asserted, and ADCS can use it.
Additional info
RFC5280 states both Certificate Sign and CRL Sign are mandatory:
Conforming CAs MUST include [Key usage] extension in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs. When present, conforming CAs SHOULD mark this extension as critical.
The keyCertSign bit is asserted when the subject public key is used for verifying signatures on public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (Section 4.2.1.9) MUST also be asserted.
The cRLSign bit is asserted when the subject public key is used for verifying signatures on certificate revocation lists (e.g., CRLs, delta CRLs, or ARLs).
Edit: update the certreq issue with the actual error