none
Cross-certificate between two root Microsoft CA's

    Question

  • Hi all,
         I have win2008 R2 root CA and a win2003 enterprise rootCA.  How can I cross-certify the two root CA's?
    I have read MS article 290760 but that is for EntrustCA, and certain certutil options are not available as listed.
    When I use base64 to submit request, I get "Denied by Policy Module0x80094802: The request specifies Conflicting certificate Templates: <Template Name>".  Whatever template name selected.
    Any help will help.
    Tuesday, December 15, 2009 10:50 PM

Answers

  • Look at the cross-certification whitepaper.
    technet.microsoft.com/en-us/library/cc787237(WS.10).aspx
    From the looks of your error, you are missing several key steps and have not provided enough information to troubleshoote.
    - What does your inf file look like
    - did you run certreq correctly to generate the crossCA request
    - Did you create a QS Signing certificate template

    Brian
    Tuesday, December 15, 2009 10:53 PM
  • for cross-certification you don't need to use CAPolicy.inf
    Policy.Inf is similar but not the same. I have example o this file (not the best, but as is):
    [Version]
    Signature = $WindowsNT$
     
    [NameConstraintsExtension]
    Include = NameConstraintsPermitted
    Exclude = NameConstraintsExcluded
    critical = true
     
    [NameConstraintsPermitted]
    DirectoryName = "DC=adatum, DC=COM"
    Email = @adatum.com
    Email = .adatum.com
    URL = .adatum.com
    UPN = .adatum.com
    UPN = @adatum.com
     
    [NameConstraintsExcluded]
    DirectoryName = "DC=contoso, DC=com"
    Email = @contoso.com
    Email = .contoso.com
    URL = .contoso.com
    UPN = .contoso.com
    UPN = @contoso.com
     
    [BasicConstraintsExtension]
    pathlength = 1
    critical = true
     
    [ApplicationPolicyStatementExtension]
    Policies = CodeSigning
    critical = false
     
    [CodeSigning]
    OID = 1.3.6.1.5.5.7.3.3
     
    [RequestAttributes]
    CertificateTemplate = CrossCA

    in this case domain contoso.com trust certificates from adatum.com domain with code signing purpose. I haven't implemented certificate policy mappings, so you can use this file as example and for more information use whitepaper.


    http://www.sysadmins.lv
    • Proposed as answer by Brian Komar [MVP]MVP Tuesday, January 19, 2010 7:55 PM
    • Marked as answer by p99373 Tuesday, January 19, 2010 9:25 PM
    Friday, January 15, 2010 4:47 PM

All replies

  • Look at the cross-certification whitepaper.
    technet.microsoft.com/en-us/library/cc787237(WS.10).aspx
    From the looks of your error, you are missing several key steps and have not provided enough information to troubleshoote.
    - What does your inf file look like
    - did you run certreq correctly to generate the crossCA request
    - Did you create a QS Signing certificate template

    Brian
    Tuesday, December 15, 2009 10:53 PM
  • I agree with Brian. Also, can you show your policy.inf file? Have you added this section in INF file:
     

    [RequestAttributes]

    CertificateTemplate = CrossCA
    ?


    http://www.sysadmins.lv
    Wednesday, December 16, 2009 9:44 AM
  • Thanks all for shedding some light on this.  I have gone through the steps to create Qualified Subord cert.
    Followed the white-paper steps to creating the cross certifcate, and ended at the similar error posted online:
    "Denied by Policy Module.  Certificate Authority's certificate contains invalid data. 0x80094005".  I saw one person said the PathLength=0 was his typo.  My CAPolicy.inf contains PathLength=0, so I changed it to 1.  Still Denied as above.
    Here is my CAPolicy.inf:

    ================================

    [Version]
    Signature= "$Windows NT$"

     [certsrv_server]
    CRLPeriod = weeks
    CRLPeriodUnits = 26

    [PolicyStatementExtension]
    Policies = HighAssurancePolicy, MediumAssurancePolicy, LowAssurancePolicy
    CRITICAL = FALSE

    [HighAssurancePolicy]
    OID = 1.3.6.1.4.1.311.21.8.2473717464.1095930238.502626717.506190032.1.402

    [MediumAssurancePolicy]
    OID = 1.3.6.1.4.1.311.21.8.2473717464.1095930238.502626717.506190032.1.401

    [LowAssurancePolicy]
    OID = 1.3.6.1.4.1.311.21.8.2473717464.1095930238.502626717.506190032.1.400

    [PolicyConstraintsExtension]
    RequireExplicitPolicy = 0
    InhibitPolicyMapping = 0

    [BasicConstraintsExtension]
    PathLength = 1

    ====================


    What more should I look into?

    Julius

    Tuesday, January 12, 2010 6:23 PM
  • I noticed my INF need certtemplate, so I submitted the req via web and bypassed that error to arrive at the next error "Denied ...invalid data".
    Tuesday, January 12, 2010 6:26 PM
  • You should get your own OID arc.
    You are using Microsoft OIDs. I have found when doing this, it often breaks. (they may be too long)
    Brian
    Wednesday, January 13, 2010 1:03 AM
  • adding to Brian post:
    http://pen.iana.org/pen/PenApplication.page - here you can request your own OID.
    http://www.sysadmins.lv
    Wednesday, January 13, 2010 6:54 AM
  • Actually, the CAPolicy.inf I used is below, after I modified the sample Microsoft Policy.inf I quoted above
    with the AssurancePolicy OID from the machine. This is a lab machine:

    [Version]
    Signature= "$Windows NT$"

     [certsrv_server]
    CRLPeriod = weeks
    CRLPeriodUnits = 26

    [PolicyStatementExtension]
    Policies = HighAssurancePolicy, MediumAssurancePolicy, LowAssurancePolicy
    CRITICAL = FALSE

    [HighAssurancePolicy]
    OID = 1.3.6.1.4.1.311.21.8.14586716.14314734.10045844.12978937.5620426.33.1.402

    [MediumAssurancePolicy]
    OID = 1.3.6.1.4.1.311.21.8.14586716.14314734.10045844.12978937.5620426.33.1.401

    [LowAssurancePolicy]
    OID = 1.3.6.1.4.1.311.21.8.14586716.14314734.10045844.12978937.5620426.33.1.400
    [PolicyConstraintsExtension]
    RequireExplicitPolicy = 0
    InhibitPolicyMapping = 0

    [BasicConstraintsExtension]
    PathLength = 1

    [RequestAttributes]
    CertificateTemplate = CrossCA

    Wednesday, January 13, 2010 4:12 PM
  • I have created the cross-Certs successfully on my CAs.  However when trying to sign email with the user cert from
    either domain the cross certificate was flagged with "certificate has Invalid Policy".  Are these added policy statement extensions the problem, and why are these (Assurance policies) required?
    Thanks for your input.
    Thursday, January 14, 2010 11:25 PM
  • You have shown us a CAPolicy.inf.
    To do cross certification, you need a properly configured policy.inf
    You have not shown us anything about this configuration file
    In here, you would define:
    - Certificate policy OID mapping
    - Allowed Application policies,
    - Name constraints

    Your basic constraints pathlength will be an issue in your capolicy.inf if the partner org has anything other than an Enterprise Root CA.

    Brian
    Friday, January 15, 2010 2:00 AM
  • Brian,
            reading through the whitepaper, I couldnot differentiate that there must be policy.inf separate from the CAPolicy.inf.
    Where should Policy.inf be placed? Also is there a sample I can view?
    Thanks for your help.
    Friday, January 15, 2010 4:10 PM
  • > Where should Policy.inf be placed?
    anywhere. When you run certreq.exe you will set switch -policy and path to policy.inf file. Therefore there is no restrictions for file naming and placing. You may run this command:
    certreq -policy

    and you will be able to select policy.inf file (in second step. In first step you will need to select CA certificate).

    Looking to Brian's link, you can find Appendix:
    http://technet.microsoft.com/en-us/library/cc738878(WS.10).aspx
    here is policy.inf example.
    http://www.sysadmins.lv
    Friday, January 15, 2010 4:22 PM
  • You know, in the second step I have been selecting the capolicy.inf. 
    I will try again with another policy.inf and see what happens. 
    Friday, January 15, 2010 4:34 PM
  • Is there a command to display the current CAPolicy as an .inf file?
    Friday, January 15, 2010 4:38 PM
  • for cross-certification you don't need to use CAPolicy.inf
    Policy.Inf is similar but not the same. I have example o this file (not the best, but as is):
    [Version]
    Signature = $WindowsNT$
     
    [NameConstraintsExtension]
    Include = NameConstraintsPermitted
    Exclude = NameConstraintsExcluded
    critical = true
     
    [NameConstraintsPermitted]
    DirectoryName = "DC=adatum, DC=COM"
    Email = @adatum.com
    Email = .adatum.com
    URL = .adatum.com
    UPN = .adatum.com
    UPN = @adatum.com
     
    [NameConstraintsExcluded]
    DirectoryName = "DC=contoso, DC=com"
    Email = @contoso.com
    Email = .contoso.com
    URL = .contoso.com
    UPN = .contoso.com
    UPN = @contoso.com
     
    [BasicConstraintsExtension]
    pathlength = 1
    critical = true
     
    [ApplicationPolicyStatementExtension]
    Policies = CodeSigning
    critical = false
     
    [CodeSigning]
    OID = 1.3.6.1.5.5.7.3.3
     
    [RequestAttributes]
    CertificateTemplate = CrossCA

    in this case domain contoso.com trust certificates from adatum.com domain with code signing purpose. I haven't implemented certificate policy mappings, so you can use this file as example and for more information use whitepaper.


    http://www.sysadmins.lv
    • Proposed as answer by Brian Komar [MVP]MVP Tuesday, January 19, 2010 7:55 PM
    • Marked as answer by p99373 Tuesday, January 19, 2010 9:25 PM
    Friday, January 15, 2010 4:47 PM
  • Thanks.  I got it working.
    Tuesday, January 19, 2010 6:24 PM