Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, April 14, 2020 5:26 PM
Hello
According to: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/windows-server-2008-r2-capolicy-inf-syntax/ba-p/397200, it is possible to set the Path Lengths Constraint on a CA where that CA does NOT have a Path Length Constraint configured within its own certificate by using the following:
certutil –setreg PolicyCAPathLength 2
And then restarting the CA.
In the above example, any child CA certificates issued by the parent CA will contain a Path Length of 1.
The problem is, this Registry setting doesn't actually seem to work! On a Root CA configured within its own certificate with a Path Length setting of 'None', modifying the Registry as shown above, restarting the CA and then issuing a certificate to a child CA, the resulting certificate for the child CA also ends up with a Path Length of 'none'.
Has anyone actually got this Registry setting to work in practice?
Note that I know this can be set using CAPolicy.inf when a Root CA is built. This is for the specific situation where a Root CA was built with no Path Length Constraints so using the Registry setting change is the only way to implement the Path Length Constraint at the child CA level without reissuing the Root CA certificate.
Thanks.
All replies (7)
Wednesday, April 15, 2020 6:41 AM ✅Answered | 1 vote
The information in blog post is incorrect. There is no such registry setting called 'PolicyCAPathLength' or similar. This is why it doesn't work.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.
Wednesday, April 15, 2020 6:55 AM | 1 vote
Hello,
Thank you for posting in our TechNet forum.
According to this article, "The path length constraint is specified during CA installation and cannot be changed without reissuing the CA certificate."
For more information, we could refer to:
[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786428(v%3Dws.11)
](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786428(v%3Dws.11))Here we would like to share with you more information about Basic Constraint Extension, and hope it could be helpful.
http://www.pkiglobe.org/
For any question, please feel free to contact us.
Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
Best regards,
Hannah Xiong
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, April 15, 2020 7:39 AM
Thanks, Vadims!
Wednesday, April 15, 2020 11:36 AM
Vadims
Turns out the correct Registry setting is:
certutil –setreg Policy\CAPathLength <n>
Where <n> is the value to set the Parent CA Path Length to. So if set to 1, the child CA cert would be issued with a PL of 0.
The Parent CA can have a PL setting in its own certificate or not. If a PL exists in the Parent CA certificate, the Registry setting overrides it.
This seems to be a supported scenario: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786428(v%3Dws.11)#basic-constraints
Certs issued with manually configured PL's seem to validate OK. E.g. using certutil -verify...
This info might be useful to others.
I guess if a parent CA had say a PL of 2 in its own certificate and then someone used the Registry to issue a cert to a child CA with a PL of 3, this might cause problems later down the line. YMMV as they say!
Wednesday, April 15, 2020 11:38 AM
Hannah
Thanks! The Microsoft article you linked to contained the correct Registry setting to use for this, so I've added this and an explanation to my original question.
Wednesday, April 15, 2020 1:34 PM | 1 vote
Vadims
Turns out the correct Registry setting is:
certutil –setreg Policy\CAPathLength <n>
Where <n> is the value to set the Parent CA Path Length to. So if set to 1, the child CA cert would be issued with a PL of 0.
The Parent CA can have a PL setting in its own certificate or not. If a PL exists in the Parent CA certificate, the Registry setting overrides it.
This seems to be a supported scenario: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786428(v%3Dws.11)#basic-constraints
Certs issued with manually configured PL's seem to validate OK. E.g. using certutil -verify...
This info might be useful to others.
I guess if a parent CA had say a PL of 2 in its own certificate and then someone used the Registry to issue a cert to a child CA with a PL of 3, this might cause problems later down the line. YMMV as they say!
Yes, this value exist under policy module. I checked for value in CertSrv.h file and didn't find the one referenced in blog post.
But I personally would use Basic Constratins extension configuration instead of registry key. Registry key shall be meant as an ad-hoc and temporary solution until you get CA certificate with the correct value.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.
Wednesday, April 15, 2020 1:39 PM | 1 vote
BTW, I figured out what's wrong with blog post: a slash was eaten during blog post migration from TechNet blogs to new Lithium platform. Original blog post was correct: 'certutil -setreg Policy\CAPathLength' and when blog was migrated, slash was escaped (common case when dealing with HTML transition) and become 'certutil -setreg PolicyCAPathLength'
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.