Certification authorities (CAs) must have a certificate before they can issue certificates. They use the private key associated with this certificate to digitally sign issued certificates. When a CA obtains a certificate from another CA, the parent CA may want to control whether that certificate can be used to issue certificates to other certificate servers. This is a basic constraint.
Basic constraints are used to ensure that a certificate is only used in certain applications. An example is the path length that can be specified as a basic constraint.
The following procedure only works with certificate templates that issue certificates that sign other certificates, such as cross-certified CAs and root CAs.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.
|
To change basic constraints |
-
Open the Certificate Templates snap-in.
-
In the details pane, right-click the certificate template that you want to change, and then click Properties.
-
On the Extensions tab, click Basic Constraints, and then click Edit.
-
In Edit Basic Constraints Extension, provide the requested information.
Additional considerations
- This procedure is applicable to version 2 and
version 3 templates. For more information, see Certificate Template
Versions.