Author Posts

August 7, 2016 at 4:20 am

Hi all

I am working on creating a few certificates using New-SelfSignedCertificate cmdlet for a test lab. The first certificate is my root. The second certificate is the subordinate. What I want to do is be able to sign other certificates using the subordinate certificate. I have no issues creating the subordinate certificate from the root certificate. When I try and sign a new certificate from the subordinate, I don't get any error from PowerShell but the resulting certificate has this error

'This certificate is not vaild because one of the certificate authorities in the certification path does not appear to be allowed to issue certificates or this certificate cannot be used as an end-entity certificate.'

Under the Certification Path tab the subordinate certificate says this

'This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate.'

The commands I am using are

For root
$Cert= New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -TextExtension @("2.5.29.19 ={text}CA:true") -FriendlyName "testRoot": -Subject "testRoot" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation cert:\localmachine\My -dnsname "mydomain.com"

I manually copy this cert to Cert:\localmachine\root

For subordinate
$SubCert=New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment, CertSign -KeyUsageProperty All -HashAlgorithm SHA256 -Subject "testSubordinate" -KeyLength 4096 -Signer $Cert -FriendlyName "SubCA-01" -certstorelocation cert:\localmachine\my -dnsname "mydomain.com"

Any other certificate I try and create I use this
$NewCert= New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment -KeyUsageProperty All -HashAlgorithm SHA256 -Subject "Win10E-VM02" -KeyLength $KeyLength -Signer $SubCert -FriendlyName "SubCA-01" -certstorelocation cert:\localmachine\my -dnsname "mydomain.com"

If I try and modify the -TextExtension PowerShell gives an error that the parameter is incorrect.

Any help would be appreciated

Thanks
Tim

August 7, 2016 at 4:18 pm

$RootCACert= New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "testRootCA" -FriendlyName "testRoot"  -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation cert:\localmachine\My -dnsname "mydomain.com" -TextExtension @("2.5.29.19 ={text}CA:true")
$IMCACert  = New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment, CertSign -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "testSubCA1" -FriendlyName "SubCA-01"  -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation cert:\localmachine\my -dnsname "mydomain.com" -TextExtension @("2.5.29.19 ={text}CA:true") -Signer $RootCACert
$TestCert  = New-SelfSignedCertificate -KeyUsage KeyEncipherment, DataEncipherment           -HashAlgorithm SHA256 -KeyUsageProperty All -KeyLength 4096 -Subject "test-VM02"  -FriendlyName "Test-VM02" -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -certstorelocation cert:\localmachine\my -dnsname "mydomain.com" -Signer $IMCACert 
  • Add -TextExtension to the IMCA Cert line
  • Add -Provider to both IMCA and TestCert
  • This reply was modified 2 years, 2 months ago by  TomBaker.

August 8, 2016 at 5:36 pm

Thanks, I found it. For the Root certificate this is needed

-TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=3")

Where ca=1 defines the cert as a signing CA and pathlength=3 is arbitrary- it defines how many SubCa's can be present

For the Subordinate certificate

-TextExtension @("2.5.29.19 = {critical} {text}ca=1&pathlength=0")

Where ca=1 defines the cert as a signing CA and pathlength=0 defines that there is no other signing CA'a below this one.

I got this information from the certutil help page. I have implemented this and it does work as intended. If anyone is interested in the script I have created, let me know I would be happy to share

Thanks again
Tim