Share via

Microsoft Windows CA server (Certificate Authority)

Anonymous
2024-01-07T13:30:13+00:00

I am using Windows CA server 2012R2. I have CSR the contains Basic Constraints: CA:FALSE in the request.

However, after i signed the cert and converted to PEM format, the contents Basic Constrains became:

X509v3 Basic Constraints: critical 

            CA:FALSE

There is additional "Critical" word was included.

Below are some of the settings in the CA template when i signed the CSR.

[Under Compatibility]

  • Certificate Authority: Windows Server 2012R2
  • Certificate Recipient: Windows 8.1 / Windows Server 2012R2

[Under Extension]

  • Basic Constraint: Enable this extension <--- only tick this.
  • Make this extension critical <---- NOT ticked

My question:

How to I make the signed cert to only show X509v3 Basic Constraints: CA: FALSE ? I would like to exclude the "critical" word.

Windows for business | Windows Server | Directory services | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

11 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-01-08T06:10:57+00:00

    Hello hanlimtan,

    Thank you for posting in Microsoft Community forum.

    For X509v3, Key Usage: critical, you can uncheck the option "Make this extension critical" after you click "Key Usage" under "Extensions" tab.

    For example:

    After you set it on your certificate template, you can check if there is any critical word.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Anonymous
    2024-01-08T06:29:51+00:00

    Hi,

    I need to remove "Critical" word under Basic Constraint, not key usage.

    This doesn't work if uncheck the option the option "Make this extension critical" after click "Key Usage" under "Extensions" tab.

    The "Critical" work still appear under Basic Constraints.

    ![](https://filestore.community.support.microsoft.com/api/images/a3f61c1f-5955-4979-bfc6-935d59a6d50c?upload=true&fud_access=wJJIheezUklbAN2ppeDns8cDNpYs3nCYjgitr%2BfFBh2dqlqMuW7np3F6Utp%2FKMltnRRYFtVjOMO5tpbpW9UyRAwvLeec5emAPixgq9ta07Dgnp2aq5eJbnfd%2FU3qhn54NvfEM6pveT5f8jO5OoJ3p7X6WzatCYr1ZjyPCQOZR3ur0xFSZBoHct9V%2BQqyx88%2BOGKnryAsPWRMoliwYyHX%2BHtn7rqmetxncgylhtT71Iq%2Fx8PfxSQ15TgvSi1mmK%2BZ99F2hL1AOsx2nqZYclDASZcLkWKjgpzDZQcYqgJ%2BbIRGvviZ7laRiBPdEaIKelrIzzRyaDbW6YimRDfYMdgdRT3XfkLQg83gAQnsHvAUa8r4ChXHb%2Bgiw0UqHHyZT92xfEWvRGC6YtXSup6mhPfs%2FVPF3K88KvEl2Fp7BzImHlw%3D)

    0 comments
  3. Anonymous
    2024-01-09T02:11:19+00:00

    Hello hanlimtan,

    Thank you for your reply.

    If you uncheck the option "Make this extension critical".

    And check the result, and check the result if "X509v3 Basic Constraints: critical CA:True"

    Reference:
    X.509v3 certificate extension "Basic Constraints" - IBM Documentation

    Best Regards,
    Daisy Zhou

    0 comments
  4. Anonymous
    2024-01-09T14:56:39+00:00

    Hi,

    Thanks for your comment. I already tried uncheck the option "Make this extension critical" - in my initial post. It did not help for Basic Constraint. It still keep showing critical.

    0 comments
  5. Anonymous
    2024-01-10T03:28:40+00:00

    Hello hanlimtan,

    Thank you for your reply.

    Please check if you check the option "Make this extension critical", and then check the result if "X509v3 Basic Constraints: critical CA: TRUE"

    Please check if you uncheck the option "Make this extension critical", and then check the result if "X509v3 Basic Constraints: critical CA: FALSE".

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments