How to make an Enterprise certification authority that is running Windows Server 2003 with Service Pack 1 or an x64-based version of Windows Server 2003 compliant with ISIS-MTT version 1.1

ISIS-MTT is a new German standard for Public Key Infrastructure (PKI) interoperability. ISIS-MTT defines data formats and communication protocols to be employed in interoperable PKI-based applications. ISIS-MTT specifications focus on security services for authentication. These include user identification and data integrity services, confidentiality services, and non-repudiation services. The ISIS-MTT standard was developed by the German government in collaboration with banking, industrial, and academic interests.

To make the Microsoft Windows certification authority (CA) compliant with ISIS-MTT version 1.1, you must complete specific configuration steps. This step-by-step article describes how to enroll certificates that comply with the ISIS-MTT requirements for an Enterprise CA.

Note Your CA must be a server that is running Microsoft Windows Server 2003 Service Pack 1 (SP1), an x64-based version of Windows Server 2003, or a later version of Windows.

Important The configuration changes that are documented in this article must be applied to the CA that enrolls the certificate. In a PKI topology, this is the parent CA of the certificate requester. If a CA certificate is requested from a subordinate CA, the type of CA that requests the certificate is not relevant.

Use the step-by-step directions in this article if the following conditions are true:

• The issuing CA issues ISIS-MTT-compliant certificates to subordinate CAs or to end-entities.
• The issuing CA takes one of the following roles:
  • Enterprise root CA
  • Enterprise subordinate CA

To configure the issuing CA correctly, use the following methods:

• Configure the issuing CA to force UTF8 encoding.
• Mark the key usage attribute as "critical" during certificate submission processing.
• For CA certificates, click to clear the Digital signature attribute to change the key usage.

Enforce UTF8 encoding

After you configure a CA to force UTF8 encoding, the UTF8 setting applies to all certificates that are issued with this CA. At the CA that must issue ISIS-MTT-compliant certificates, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. Type the following, and then press ENTER:
   certutil -setreg ca\forceteletex +0x20
   This command sets the flag so that the CA always encodes the subject with UTF8.
3. To stop and to restart the CA service, type the following at a command prompt. Press ENTER after each command.
   net stop "certificate services"
   net start "certificate services"

To undo this change, follow these steps:

1. Type the following at a command prompt, and then press ENTER:
   certutil -setreg ca\forceteletex -0x20
2. To stop and to restart the CA service, type the following commands. Press ENTER after each command.
   net stop "certificate services"
   net start "certificate services"

Note Versions of Windows that are earlier than Windows Server 2003 SP1 cannot interpret the “0x20” bit and therefore ignore it.

Configure the certificate template to change the key usage and to mark it as "critical"

When certificates are issued with an Enterprise CA, you must set the critical flag through the certificate template that is used for certificate creation. By default, CA certificate requests use the Subordinate Certification Authority certificate template. Certificates for a user or for a computer are processed in one of the following ways:

• Through the template that is specific to the certificate request.
• During the certificate submission process.

To configure the certificate template for CA certificates, follow these steps:

1. On the issuing CA, click Start, click Run, type mmc, and then click OK.
2. On the File menu, click Add/ Remove Snap-in.
3. On the Standalone tab, click Add.
4. In the Available Standalone Snap-ins list, click Certificate Templates, click Add, and then click Close.
5. Click OK, and then click Certificate Templates.
6. In the right-pane, right-click Subordinate Certification Authority, and then click Duplicate Template.
7. On the General tab, type SubCAcritical in the Template display name box, and then click OK.
8. Double-click SubCAcritical, click the Extensions tab, click Key Usage, and then click Edit.
9. Click to select the Make this extension critical check box, click to clear the Digital signature check box, and then click OK.
10. Click the Issuance Requirements tab, and then click to select the CA certificate manager approval check box.
    
    Note This step is optional. However, we recommend that you use this option to help you keep track of the CA certificates that are issued.
11. If you require any other customized options in the template, make these changes now, and then click OK.
12. Click Start, point to Administrative Tools, and then click Certification Authority.
13. Expand Your_CA, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.
14. In the Select one or more Certificate Templates to enable on this Certification Authority list, click SubCAcritical, and then click OK.
15. Repeat steps 6 through 14 to configure the key usage setting for user or computer certificates.

Request a CA certificate for a subordinate CA

In a multi-tier PKI topology, a subordinate CA can request the CA certificate online or offline. By default, the Subordinate Certification Authority setting is always used when a request is made online. Therefore, the key usage settings are not applied. When a subordinate CA requests the CA certificate, you must complete the request offline so that you can specify the template name.

To issue a certificate for a subordinate CA, follow the steps in the "Submit the certificate request" section.

Note According to the ISIS-MTT standard, the name of a CA must contain the following distinguished name attributes:

• countryName (c)
• organizationName (o)

The requesting CA must choose an appropriate name for the CA.

Submit the certificate request

To enroll a certificate with a specific certificate template, you must set the template name during the certificate submission process by using the Certreq.exe command. To do this, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. Type the following, and then press ENTER:
   certreq submit attrib CertificateTemplate:SubCAcritical [RequestFileIn]
   Notes
   • If you used a different template name when you configured the certificate template, replace "SubCAcritical" with the template name that you used.
   • Alternatively, you can request the certificate through the Web-enrollment Web pages, instead of using the Certreq.exe command.
3. If certificate approval was configured, issue the pending CA request. To do this, expand the Pending Requests folder, click the certificate request, point to All Tasks on the Action menu, and then click Issue.
4. Make the certificate available to the user who is requesting the certificate by exporting the certificate from the certificates database. To do this, follow these steps:
   1. Click the Issued Certificates container.
   2. Click the newly issued CA certificate in the right pane, click Action, and then click Open.
   3. Click the Details tab, and then click Copy to File.
   4. On the Welcome to the Certificate Export Wizard page, click Next.
   5. Click Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B), click to select the Include all certificates in the certification path if possible check box, and then click Next.
   6. In the File name box, type a file name for the saved CA certificate, and then click Next. The Export Wizard automatically adds a file name extension to the file name.
   7. On the Completing the Certificate Export Wizard page, click Finish.
   8. In the Certificate Export Wizard dialog box, Click OK.

For additional information about how to use ISIS-MTT compliant certificates with a stand-alone issuing CA, click the following article number to view the article in the Microsoft Knowledge Base: