Bonjour,
I had made a test 5 level CA and doing Microsoft smart card logon from the end
tier CA, i had a BIG BIG problem that my Sub CAs did not have smart card logon
extension in EKU, so my end entity certificates were unable to do SC logon.
The error was that the client certificate & chain certificates are not valid
for intended usage. Actually the SC logon extension was missing in all upper
layer Sub ca certs. I diagnosed it after a long time and included the desired
extension in all my subCA certs. Actually microsoft deals it like a constraint
if an extension is not present.
As there are a lot of extensions and thinking about the evolution, many
extensions will be created n used in future, so if i add a particular set of
extension in my sub ca certs then in future then i would set a constraint on
my PKI solution and i would not be able to use these new extensions in end
entity.
Is it the best solution to remove EKU in all my sub ca certs to avoid
constraints ?
Waiting for Reply
Regards
Scott
