none
AlternateSignatureAlgorithm in CAPolicy.inf

    Question

  • I had modeled some post-install scripts after some entries in Brian's book and in response to some topics on this board.  I think I took the example policy file too literal.   I was playing around with some lab systems today and noticed that Windows XP SP3 systems had issues verifying the certificate chain;  "Wrong Issuer" in certutil -verify -urlfetch.     In doing some research and testing, removing the AlternateSignatureAlgorithm in the CAPolicy.inf of my CAs and reissuing the SubCA resolved the issue.  I then read in the online documents that this setting may not work with pre-Server 2008/Win7 Operating Systems.   I just want to clarify two things:

    • If an environment is going to have Windows XP (or even non-Windows) systems, should this setting always remain at 0?
    • Is this setting only required if using CNG?   And if it was required and implemented, would this render XP and non-Windows machines unable to use the CA?
    Thank you

    Wednesday, June 09, 2010 2:28 AM

Answers