The following problem affects a Certification authority running on the 64-bit edition of Windows Server 2008 and Windows Server 2008 R2. The problem does not occur on x86 (32-bit) platform of both operating systems.
When installing a subordinate enterprise CA using basicconstraintsextension section in a CAPolicy.inf file, the installation fails with a crashing management console. In this case, the following information is logged in the event log:
The problem occurs when the CA certificate request is created and the basic constraint extension is evaluated in the CAPolicy.inf file. The following sample illustrates a CAPolicy.inf file causing the error:
The problem has been classified as a Windows bug. Until the bug is fixed, you have to remove basicconstraintsextension section from the CAPolicy.inf file and set the basic constraints extension at the certificate template that is used to enroll for the CA certificate.
In the Active Directory forest where the subordinate CA is a member of, start the Certificate Templates snap-in (certtmpl.msc)
Right click the Subordinate Certificate Authority template and duplicate it.
Enter the name for a new template (in this example "MySubordinateCA") and in the Extensions tab select Basic Constraints extension and click on Edit .
After choosing if the "Basic Constraints" extension should be critical or not and if the Subordinate CA is allowed to certify other CAs click OK twice and close "Certificate Templates" snap-in.
Refresh the certificate templates on the CA that needs to be installed.
Once the new certificate template is applied to the server where the CA is to be installed, the CA setup will pick up the certificate template MySubordinateCA and generate the certificate request for the CA. The basic constraints extension is applied to the certificate request from the template information.
Therefore, it doesn't matter if the subordinate CA is requesting a certificate from a 3rd Party CA or Windows based Standalone CA (which has no idea about the templates). T he problem occurs during the certificate request creation and before sending the request to the parent CA.