Include Issuance Policy Notice Text in Certificate Template
-
Monday, March 12, 2012 10:28 AM
Hi
Does anyone know how to include Notice Text (in addition to URL) in the Certificate Policies extension of certificate template such that it is included in the end entity certificate?
The idea is to have the Issuer Statement button in an end entity certificate load the user notice, and then the More button take you to the URL (in essence the same as a CA cert works).
Though the cert templates mmc I can define Issuance Policies on a particular template, but can only specify a URL for CPS.
Having examined the particular Issuance Policy OID using ADSI Edit, I can see that the URL coresponds to the msPKI-OID-CPS attribute. I can also see that the Issuance Policy has an atttribute named msPKI-OID-User-Notice which looks promising, however even when this is manually edited it doesn't make it into the end entity certificate issued based on the template. From what I can see the template just references the OID using the msPKI-Certificate-Policy attribute.
I'm guessing the user notice attribute is either not implemented or there is another attribute / setting that would enable it's processing by the CA at enrollment time.
2008 R2 PKI by the way.
Thanks
Douks
All Replies
-
Monday, March 12, 2012 5:26 PM
You need to add the values using using the CAPolicy.inf file when creating the CA certificate. More info here: http://blogs.technet.com/b/askds/archive/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax.aspx
Cheers
JJ
Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
-
Monday, March 12, 2012 5:42 PM
Hi Jason
Thanks but perhaps you misunderstand what I'm trying to achieve...
My CA certificate is fine - Issuer Statement & More URL all works as expected. I am trying to configure issuance policy extension on certificate templates in order to get specific User Notice in end entity certificate as oppposed to just OID & URL.
When defining an issuance policy within a certificate template you can only specify a URL via the interface. Creating this issuance policy creates an OID in AD under Configuration\Services\Public Key Services\OID... THis is where I can see the msPKI-OID-User-Notice attribute, but editing it seems to have no effect.
Cheers
Douks
-
Monday, March 12, 2012 5:47 PM
Hi Jason
Thanks but perhaps you misunderstand what I'm trying to achieve...
My CA certificate is fine - Issuer Statement & More URL all works as expected. I am trying to configure issuance policy extension on certificate templates in order to get specific User Notice in end entity certificate as oppposed to just OID & URL.
When defining an issuance policy within a certificate template you can only specify a URL via the interface. Creating this issuance policy creates an OID in AD under Configuration\Services\Public Key Services\OID... THis is where I can see the msPKI-OID-User-Notice attribute, but editing it seems to have no effect.
Cheers
Douks
Yeah, sorry I misread it <blush> :)Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
-
Monday, March 12, 2012 5:48 PM
Not to worry - easily done...
Any ideas?
Douks
-
Saturday, March 24, 2012 12:17 PM
Please, please, please could someone from Microsoft confirm if the msPKI-OID-User-Notice attribute is implemented & if so how to utilise it.
Thank you
Douks
.png)
