none
Include Issuance Policy Notice Text in Certificate Template

    Question

  • Hi

    Does anyone know how to include Notice Text (in addition to URL) in the Certificate Policies extension of certificate template such that it is included in the end entity certificate?

    The idea is to have the Issuer Statement button in an end entity certificate load the user notice, and then the More button take you to the URL (in essence the same as a CA cert works).

    Though the cert templates mmc I can define Issuance Policies on a particular template, but can only specify a URL for CPS.

    Having examined the particular Issuance Policy OID using ADSI Edit, I can see that the URL coresponds to the msPKI-OID-CPS attribute. I can also see that the Issuance Policy has an atttribute named msPKI-OID-User-Notice which looks promising, however even when this is manually edited it doesn't make it into the end entity certificate issued based on the template. From what I can see the template just references the OID using the msPKI-Certificate-Policy attribute.

    I'm guessing the user notice attribute is either not implemented or there is another attribute / setting that would enable it's processing by the CA at enrollment time.

    2008 R2 PKI by the way.

    Thanks


    Douks

    Monday, March 12, 2012 10:28 AM

All replies

  • You need to add the values using using the CAPolicy.inf file when creating the CA certificate. More info here: http://blogs.technet.com/b/askds/archive/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Monday, March 12, 2012 5:26 PM
  • Hi Jason

    Thanks but perhaps you misunderstand what I'm trying to achieve...

    My CA certificate is fine - Issuer Statement & More URL all works as expected. I am trying to configure issuance policy extension on certificate templates in order to get specific User Notice in end entity certificate as oppposed to just OID & URL.

    When defining an issuance policy within a certificate template you can only specify a URL via the interface. Creating this issuance policy creates an OID in AD under Configuration\Services\Public Key Services\OID... THis is where I can see the msPKI-OID-User-Notice attribute, but editing it seems to have no effect.

    Cheers

     


    Douks

    Monday, March 12, 2012 5:42 PM
  • Hi Jason

    Thanks but perhaps you misunderstand what I'm trying to achieve...

    My CA certificate is fine - Issuer Statement & More URL all works as expected. I am trying to configure issuance policy extension on certificate templates in order to get specific User Notice in end entity certificate as oppposed to just OID & URL.

    When defining an issuance policy within a certificate template you can only specify a URL via the interface. Creating this issuance policy creates an OID in AD under Configuration\Services\Public Key Services\OID... THis is where I can see the msPKI-OID-User-Notice attribute, but editing it seems to have no effect.

    Cheers


    Douks


     Yeah, sorry I misread it <blush> :)

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Monday, March 12, 2012 5:47 PM
  • Not to worry - easily done...

    Any ideas?


    Douks

    Monday, March 12, 2012 5:48 PM
  • Please, please, please could someone from Microsoft confirm if the msPKI-OID-User-Notice attribute is implemented & if so how to utilise it.

    Thank you


    Douks

    Saturday, March 24, 2012 12:17 PM