[Version]
Signature="$Windows NT$
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; 2.5.29.19 == Basic Constraints for CA
[Strings]
szOID_BASIC_CONSTRAINTS2 = "2.5.29.19"

[EnhancedKeyUsageExtension]
OID = 1.3.6.1.4.1.311.76.9.21.1

[NewRequest]
Subject = "CN=TestEKUParsingIssuingCA"
Exportable = true
KeyLength = 256
HashAlgorithm = sha256
KeyUsage = "CERT_KEY_CERT_SIGN_KEY_USAGE"
KeyUsageProperty = "NCRYPT_ALLOW_SIGNING_FLAG"
MachineKeySet = True
RequestType = cert
ValidityPeriodUnits = 20
ValidityPeriod = Years
ProviderName = "Microsoft Software Key Storage Provider"
KeyAlgorithm = "ECDSA_P256"


[Extensions]
%szOID_BASIC_CONSTRAINTS2% = "{text}"
    _continue_ = "ca=True"

Critical=%szOID_BASIC_CONSTRAINTS2%

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; This extension is so the this CA is only allowed to
; issue end-entity certs.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
[BasicConstraintsExtension]
PathLength=0

;
; Surface Firmware Signing EKU
;
[Extensions]
    2.5.29.37 = "{text}"
    _continue_ = "1.3.6.1.4.1.311.76.9.21.1"