Microsoft KB Archive/899313

= The CertGetEnhancedKeyUsage function and the ExtendedKeyUsage method of the CAPICOM.Certificate object return the incorrect number of extended key usages on a computer that is running Windows XP or Windows 2000 =

Article ID: 899313

Article Last Modified on 4/29/2007

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Media Center Edition 2002

-





SYMPTOMS
When you use a certificate that contains more than 100 extended key usages (EKUs), the CertGetEnhancedKeyUsage function and the ExtendedKeyUsage method of the CAPICOM.Certificate object return the incorrect number of EKUs. This problem occurs on a computer that is running Microsoft Windows XP or Microsoft Windows 2000.

Note The ExtendedKeyUsage method is implemented by using the CertGetEnhancedKeyUsage function.



CAUSE
This problem occurs because the CertGetEnhancedKeyUsage function has a limit of 100 EKUs. When this limit is exceeded, Windows XP and Windows 2000 do not work correctly. Currently, the use of more than 100 EKUs in a single certificate is not supported.



WORKAROUND
To work around this problem, use one of the following methods:
 * Use 100 EKUs or fewer than 100 EKUs in a single certificate. If you need more than 100 EKUs, use two or more certificates that each contain fewer than 100 EKUs.
 * Use the CryptDecodeObjectEx function if you use the Microsoft Cryptography API (CryptoAPI) functions. However, the use of more than 100 EKUs in a single certificate is still not supported.

Note There is no workaround for this problem if you use the ExtendedKeyUsage method of the CAPICOM.Certificate object.



STATUS
This behavior is by design.



MORE INFORMATION
For more information, visit the following Microsoft Developer Network (MSDN) Web sites:

CertGetEnhancedKeyUsage

http://msdn2.microsoft.com/en-us/library/aa376083.aspx

Certificate.ExtendedKeyUsage

http://msdn2.microsoft.com/en-us/library/aa376521.aspx

CryptDecodeObjectEx

http://msdn2.microsoft.com/en-us/library/aa379912.aspx

Introducing CAPICOM

http://msdn2.microsoft.com/en-us/library/ms995332.aspx

Keywords: kbtshoot kbprb KB899313

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.