Standalone Root CA does not enforce KeyUsage settings from CAPolicy.inf when issuing certificates

I have a standalone root CA (RootCA) and an enterprise subordinate CA (SubCA). Both Windows Server 2019.

The RootCA seems to ignore the CAPolicy.inf file configuration settings, when attempting to sign the SubCA's CSR, as shown in the pending request properties view:

enter image description here

The CAPolicy.inf on the RootCA (%SystemRoot%\CAPolicy.inf) is this:

[Version]
Signature= "$Windows NT$"

[Strings]
szOID_KEY_USAGE = "2.5.29.15"

[Extensions]
%szOID_KEY_USAGE% = AwIBhg==
Critical = %szOID_KEY_USAGE%

During RootCA installation, the CAPolicy.inf was used to make the KeyUsage extension of the root certificate critical. This can be seen in the root certificate properties as well as in the certocm.log: Opened Policy inf: C:\Windows\CAPolicy.inf

The documentation states

The CAPolicy.inf is a configuration file that defines the extensions, constraints, and other configuration settings that are applied to a root CA certificate and all certificates issued by the root CA.

So, why does the RootCA ignore the CAPolicy.inf when issuing a (SubCA) certificate, despite the docs stating otherwise?


If the CSR has the BasicConstraint extension set to CA=True the CA will default to what you see above. You can override this by running the following on the signing CA (the Root):

certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE

Restart the service, then try again.