Subordinate Certificates Appear Invalid with Certificate Server 1.0

ID: Q242032

The information in this article applies to:

Microsoft Certificate Server version 1.0

SYMPTOMS

When you view Certificate Authority (CA) client chains, subordinate certificates may not be shown. In addition, some client chain verification code may not identify subordinate certificates as valid.

CAUSE

Certificate Server 1.0 root and subordinate CA certificates do not have the critical flag set in the basic constraints extension, and the key usage bits are not completely correct. Therefore, CA hierarchies do conform to the current IETF standard. The current standard was issued after Microsoft Windows NT 4.0 Option Pack was released.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows NT 4.0. For additional information, please see the following article in the Microsoft Knowledge Base:

Q152734 How to Obtain the Latest Windows NT 4.0 Service Pack

Certificate Server has been updated in Windows NT 4.0 Service Pack 6 (SP6) as follows:

Root CA certificate generation sets the critical flag.

Subordinate CA certificate requests include the basic constraints and key usage extension.

STATUS

Microsoft has confirmed this to be a problem in Certificate Server 1.0. This problem was first corrected in Windows NT 4.0 Service Pack 6.

Additional query words:

Keywords : kbbug4.00 kbfix4.00 NT4SP6Fix
Version : winnt:1.0
Platform : winnt
Issue type : kbbug