The following problem affects a Certification authority running on the 64-bit edition of Windows Server 2008 and Windows Server 2008 R2. The problem does not occur on x86 (32-bit) platform of both operating systems.
When installing a subordinate enterprise CA using basicconstraintsextension section in a CAPolicy.inf file, the installation fails with a crashing management console. In this case, the following information is logged in the event log:
Log Name: Application Source: Application Error Date: 21.07.2009 12:40:27 Event ID: 1000 Task Category: (100) Level: Error Keywords: Classic User: N/A Computer: DMW2K8R201.forest3.test Description: Faulting application name: mmc.exe, version: 6.1.7100.0, time stamp: 0x49ee94f3 Faulting module name: ntdll.dll, version: 6.1.7100.0, time stamp: 0x49eeab11 Exception code: 0xc0000374 Fault offset: 0x00000000000c2a42 Faulting process id: 0xb08 Faulting application start time: 0x01ca09ef63d735ed Faulting application path: C:\Windows\system32\mmc.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: e6add21f-75e2-11de-80e5-00155d500124
The problem occurs when the CA certificate request is created and the basic constraint extension is evaluated in the CAPolicy.inf file. The following sample illustrates a CAPolicy.inf file causing the error:
[Version] Signature= "$Windows NT$" [Certsrv_Server] RenewalKeyLength = 4096 RenewalValidityPeriodUnits = 12 RenewalValidityPeriod = years CRLPeriod = weeks CRLPeriodUnits = 1 CRLDeltaPeriod = days CRLDeltaPeriodUnits = 0 [basicconstraintsextension] pathlength = 0 critical=true [RequestAttributes] CertificateTemplate = MySubordinateCA
The problem has been classified as a Windows bug. Until the bug is fixed, you have to remove basicconstraintsextension section from the CAPolicy.inf file and set the basic constraints extension at the certificate template that is used to enroll for the CA certificate.
Once the new certificate template is applied to the server where the CA is to be installed, the CA setup will pick up the certificate template MySubordinateCA and generate the certificate request for the CA. The basic constraints extension is applied to the certificate request from the template information.
Therefore, it doesn't matter if the subordinate CA is requesting a certificate from a 3rd Party CA or Windows based Standalone CA (which has no idea about the templates). The problem occurs during the certificate request creation and before sending the request to the parent CA.