This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I created a certificate signing request for a new intermediate CA. The CSR was created with the critical flag on the KeyUsage property. I can verify this by running certutil -dump certificate.req.
Upon importing the CSR into the (standalone) root CA, it does not recognise the critical flag on the CSR. The root CA seems to even completely omit the KeyUsage from the CSR, as the KeyUsage origin is set to Policy instead of Request.
In the next image you can see that the critical flag is not present in the issued certificate.
Next, I checked if the CA is configured to even transfer the KeyUsage from the request to the certificate, by running **certutil -v -getreg Policy\EnableRequestExtensionList* and checking if OID 2.5.29.15 is included. In the next image you can see, that it is.
Why is my root CA ignoring the flag in the request and how can I make it respect the request flag?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 25%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
If the CSR has the BasicConstraint extension set to CA=True the CA will default to what you see above. You can override this by running the following on the signing CA (the Root)
certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE
Restart the service and try again.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 19%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPH%3C/text%3E%3C/svg%3E)
Thanks Vijay. I am experiencing the same issue generating certificates from CUCM for Tomcat-ECDSA CSR using certreq to generate the certificate. My concern with the above - what is the impact to other certificates? What is the back out command should there be any issues? Assume you mean restart certificate services on the CA?