Share via

Adding Authority Key Identifier (OID: 2.5.29.35) to CAPolicy.inf in ADCS

Vinay Thakur 0 Reputation points
2025-06-27T10:02:52.45+00:00

The goal is to configure a new Certificate Authority (CA) using Active Directory Certificate Services (ADCS) and add the Authority Key Identifier (AKI) extension to the root certificate generated during CA installation. The AKI needs to match the Subject Key Identifier (SKI), which is auto-generated by ADCS.

Multiple attempts to configure this through the CAPolicy.inf file have been made, including:

1. 

[Extensions]
2.5.29.35 = true

[Extensions]
2.5.29.35 = 2.5.29.14

The current contents of the CAPolicy.inf file are as follows:

[Version]
Signature="$Windows NT$"

[basicconstraintsextension] 
pathlength=
Critical=Yes
CA=True

[Extensions]
2.5.29.35 = true

;Key Usage
;The key usage is represented as a bit string. The first byte is the encoding of the 
;bit string type. This is static 03. 

;The second bit defines the length of the value and is set to 02. 

;The following bits represent the actual value of the bit string where 01 is fixed. 

;The key usage values are defined in the Wincrypt.h include file. Thus 03 02 01 06 = AwIBBg==

;CERT_KEY_CERT_SIGN_KEY_USAGE 0x04  | 
;CERT_OFFLINE_CRL_SIGN_KEY_USAGE 0x02 |
;CERT_CRL_SIGN_KEY_USAGE 0x02

2.5.29.15 = AwIBBg== 
Critical = 2.5.29.15

; Remove CA Version
1.3.6.1.4.1.311.21.1 =

; Remove Certificate Template Name
1.3.6.1.4.1.311.21.7 =

; Remove Certificate Template Name (Certificate Type) CA
1.3.6.1.4.1.311.20.2 =

Requesting suggestions on how to properly add the Authority Key Identifier to the root certificate so that it aligns with the Subject Key Identifier.

Windows for business | Windows Server | Devices and deployment | Configure application groups

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chen Tran 1,645 Reputation points Independent Advisor
    2025-07-02T06:27:27.3666667+00:00

    Hello Vinay,

    Thank you for posting question on Microsoft Windows Forum.

    Based on your query of directly forcing the Authority Key Identifier (AKI) to match the Subject Key Identifier (SKI) in the root certificate during initial ADCS installation via CAPolicy.inf which is, unfortunately, not directly supported in the way you are attempting. The followings are the plausible explanations to that.

    1.Root CA AKI:

    • For a self-signed root certificate, the Authority Key Identifier (AKI) should conceptually point to itself. In practice, for a root CA, the AKI is often either omitted or, if present, it typically matches its own Subject Key Identifier (SKI). ADCS by default handles this for a root CA.

    2.ADCS Behavior for Root CAs:

    • When you install a standalone or enterprise root CA, ADCS generates a self-signed certificate. By design, for a self-signed certificate, the AKI typically isn't present or, if it is, it is the same as the SKI of that same certificate. This is the expected and RFC-compliant behavior for a root CA.

    3.CAPolicy.inf Cannot Copy the SKI into the AKI:

    • CAPolicy.inf is processed at CA install/renewal time to apply static extensions to the root certificate. It does not support dynamic placeholders or references—so lines such as 2.5.29.35 = true or 2.5.29.35 = 2.5.29.14 are ignored (or overwritten) by ADCS’s built-in certificate generation logic. In short, you cannot tell ADCS “take whatever SKI you generated, and reuse it as the AKI” via CAPolicy.inf
    • For more information https://techcommunity.microsoft.com/blog/askds/windows-server-2008-r2-capolicy-inf-syntax/397200

    Hope the above information is helpful!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.