Remove digital signature form KeyUsage filed of CA Certificate.
Problem Statement:
Cause:
Want to use the Root CA and Policy CA only for CRL Signing, Offline CRL Signing and Certificate Signing only.
Resolution
Verified that certificate policy field was added to the certificate with OID. This needs to be matching on all CAs in hierarchy.
To remove Digital signature form KeyUsage filed of certificate, configure registry using following commands on Root CA:
- certutil -setreg Policy\EditFlags -EDITF_ADDOLDKEYUSAGE
- net stop certsvc
- net start certsvc