Share via

How to mark AD CS Root CA key usage certificate extension critical upon initial configuration

Marcus Serrao 0 Reputation points
2025-07-31T19:37:27.7866667+00:00

As per RFC 5280, the key usage extension of a CA must be marked critical, however it appears, by default Windows Server 2022 AD CS does not mark it critical and seems to ignore the flag to make it so in the CAPolicy.inf file. This seems like a bug. Does anyone know how to fix this?

I tried these 2 ways in the CAPolicy:

[KeyUsageExtension]

critical=true

AND

[Extensions]

critical = 2.5.29.15

Thanks in advance.

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hoang Phan0701 75 Reputation points Independent Advisor
    2025-08-01T10:43:52.23+00:00

    Dear Marcus Serrao,

    Thank you for posting your question on Microsoft Q&A.

    My name is Hoang Phan, and I understand that you are having some concern related to CA certificate extensions.

    From my understanding, you would like to configure the Key Usage extension as Critical in your CA certificate. Could you please confirm which CA you want to configure this for – a Root CA or a Subordinate CA?

    Keep in mind that the Root CA is responsible for renewing both its own certificate and the certificates of its subordinate CAs. Therefore, if you want to configure this for a Subordinate CA, you will need to modify the CApolicy.inf file on the Root CA before issuing or renewing the subordinate CA certificate.

    Based on my research, the following configuration can be added to the CApolicy.inf file on the Root CA to mark the Key Usage extension as critical and to exclude the "DigitalSignature" key usage:

    [Extensions]
    2.5.29.15 = AwIBBg==
    Critical = 2.5.29.15

    Reference: Description of the necessary configuration settings for the common PKI certificate profile

    I hope this information proves helpful. Please don’t hesitate to reach out if you need further clarification—I’ll be happy to assist 🙂

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    Best regards,

    Hoang Phan

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.