AD CS Installation is Crashing on x64 Platform - Windows PKI blog - Site Home

The following problem affects a Certification authority running on the 64-bit edition of Windows Server 2008 and Windows Server 2008 R2. The problem does not occur on x86 (32-bit) platform of both operating systems.

When installing a subordinate enterprise CA using basicconstraintsextension section in a CAPolicy.inf file, the installation fails with a crashing management console. In this case, the following information is logged in the event log:

Log Name:      Application
Source:        Application Error
Date:          21.07.2009 12:40:27
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DMW2K8R201.forest3.test
Description:
Faulting application name: mmc.exe, version: 6.1.7100.0, time stamp: 0x49ee94f3
Faulting module name: ntdll.dll, version: 6.1.7100.0, time stamp: 0x49eeab11
Exception code: 0xc0000374
Fault offset: 0x00000000000c2a42
Faulting process id: 0xb08
Faulting application start time: 0x01ca09ef63d735ed
Faulting application path: C:\Windows\system32\mmc.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: e6add21f-75e2-11de-80e5-00155d500124

The problem occurs when the CA certificate request is created and the basic constraint extension is evaluated in the CAPolicy.inf file. The following sample illustrates a CAPolicy.inf file causing the error:

[Version]
Signature= "$Windows NT$"

[Certsrv_Server]
RenewalKeyLength = 4096
RenewalValidityPeriodUnits = 12
RenewalValidityPeriod = years
CRLPeriod = weeks
CRLPeriodUnits = 1
CRLDeltaPeriod = days
CRLDeltaPeriodUnits = 0

[basicconstraintsextension]
pathlength = 0
critical=true

[RequestAttributes]
CertificateTemplate = MySubordinateCA

The problem has been classified as a Windows bug. Until the bug is fixed, you have to remove basicconstraintsextension section from the CAPolicy.inf file and set the basic constraints extension at the certificate template that is used to enroll for the CA certificate.

In the Active Directory forest where the subordinate CA is a member of, start the Certificate Templates snap-in (certtmpl.msc)
Right click the Subordinate Certificate Authority template and duplicate it.
Enter the name for a new template (in this example "MySubordinateCA") and in the Extensions tab select Basic Constraints extension and click on Edit.
After choosing if the "Basic Constraints" extension should be critical or not and if the Subordinate CA is allowed to certify other CAs click OK twice and close "Certificate Templates" snap-in.
Refresh the certificate templates on the CA that needs to be installed.

Once the new certificate template is applied to the server where the CA is to be installed, the CA setup will pick up the certificate template MySubordinateCA and generate the certificate request for the CA. The basic constraints extension is applied to the certificate request from the template information.

Therefore, it doesn't matter if the subordinate CA is requesting a certificate from a 3rd Party CA or Windows based Standalone CA (which has no idea about the templates). The problem occurs during the certificate request creation and before sending the request to the parent CA.