Article ID: 888180 - View products that this article applies to.
If you want to make a stand-alone certification authority (CA) compliant with the ISIS-MTT version 1.1 standard, follow the steps that are described in this article. The issuing CA must force UTF-8 encoding. After a certificate request is submitted, the key usage attribute must be marked as "critical" during the certificate submission process. You can then issue and verify the certificate.
ISIS-MTT is a new German standard for Public Key Infrastructure (PKI) interoperability. ISIS-MTT defines data formats and communication protocols to be employed in interoperable PKI-based applications. The standard focuses on security services for authentication. These services include user identification and data integrity, confidentiality, and non-repudiation. The standard was developed by the German government together with banking, industrial, and academic interests.
To make the Windows certification authority (CA) compliant with ISIS-MTT version 1.1, you must complete specific configuration steps. This step-by-step article describes how to enroll certificates that comply with the ISIS-MTT requirements for a stand-alone CA.
Note Your CA must be a server that is running Microsoft Windows Server 2003 Service Pack 1 (SP1), an x64-based version of Windows Server 2003, or a later version of Windows.
Important The configuration changes that are documented in this article must be applied to the CA that enrolls the certificate. In a PKI topology, this is the parent CA of the certificate requester. If a CA certificate is requested from a subordinate CA, the type of CA that requests the certificate is not relevant.
Use the step-by-step directions in this article if the following conditions are true:
Note The ISIS-MTT standard requires that the name of a CA contain the following distinguished name attributes:
Certificate Signing, Off-line CRL Signing, CRL SigningTo apply this key usage if a CA certificate is requested, type the following at a command prompt, and then press ENTER:
echo 03 02 01 06>File_Name.txtFor an explanation of the hexadecimal numbers that are used in this command, see the “Interpret key usage” section.
To modify the pending CA certificate request to set the key usage and to mark it as critical, type the following at a command prompt, and then press ENTER:
certutil -setextension Request_ID_Noted_ In_Step_7_Of_The_Submit_The_Certificate_Request_Section 188.8.131.52 1 @File_Name.txt
To do this, type the following at a command prompt, and the press ENTER:
certutil -setextension Request_ID_Noted_ In_Step_7_Of_The_Submit_The_Certificate_Request_Section 184.108.40.206 1For an explanation of the hexadecimal numbers that are used in this command, see the “Interpret key usage” section.
#define CERT_DIGITAL_SIGNATURE_KEY_USAGE 0x80For example, the value 03 02 01 86 sets the following key usages with a logical OR operation:
#define CERT_NON_REPUDIATION_KEY_USAGE 0x40
#define CERT_KEY_ENCIPHERMENT_KEY_USAGE 0x20
#define CERT_DATA_ENCIPHERMENT_KEY_USAGE 0x10
#define CERT_KEY_AGREEMENT_KEY_USAGE 0x08
#define CERT_KEY_CERT_SIGN_KEY_USAGE 0x04
#define CERT_OFFLINE_CRL_SIGN_KEY_USAGE 0x02
#define CERT_CRL_SIGN_KEY_USAGE 0x02
#define CERT_ENCIPHER_ONLY_KEY_USAGE 0x01
CERT_DIGITAL_SIGNATURE_KEY_USAGE |If you want Certificate Revocation List (CRL) signing and certificate signing only, the hexadecimal value must be 03 02 01 06.
Technical support for Windows x64 editionsYour hardware manufacturer provides technical support and assistance for Microsoft Windows x64 editions. Your hardware manufacturer provides support because a Windows x64 edition was included with your hardware. Your hardware manufacturer might have customized the Windows x64 edition installation with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your Windows x64 edition. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.
For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:
http://www.microsoft.com/windowsxp/64bit/default.mspxFor product information about Microsoft Windows Server 2003 x64 editions, visit the following Microsoft Web site:
Article ID: 888180 - Last Review: October 11, 2007 - Revision: 4.4