locked
Specify the Issuance Policies in Certificate Template RRS feed

  • Question

  • Hi

    I am trying to specify the issuance policy with a newly created certificate template in our subordinated CA. I already got OID and CPS location and tried to put this information by "New issuance policy". However the system complaints about: "The new issuance policy could not be added. The object or property already exists". I checked the existing policies and they are All issuance policies, Eurpopean Qualifier Certficate, High Assurance, Low Assurance, Medium Assurance, Secure Signature Creationg Device Qualified Certificate" I just can't add any of new using my oid and cps.

    Could anyone please share the idea?

    Thanks

    Monday, May 27, 2013 5:51 PM

Answers

  • This is typically the case when there is an existing OID defined in AD. Maybe someone defined the OID as a application policy OID.

    The easiest way to search is to use ADSIEDit focused on the OID container.

    If you OID is 1.3.6.1.4.1.###.3.3

    Then you would search for the last digit as the first character in an OID.

    3.######

    Look in the properties of each OID looking for the OID you want to add.

    Brian

    • Marked as answer by 朱鸿文 Friday, June 7, 2013 5:00 AM
    Monday, May 27, 2013 7:00 PM
  • You have to delete the previously created OID. 

    In a well designed PKI, there are no duplicates <G>. You need to use the procedure I already provided to figure out if the OID exists and what is it used for

    Brian

    • Marked as answer by 朱鸿文 Friday, June 7, 2013 5:00 AM
    Monday, May 27, 2013 8:16 PM

All replies

  • This is typically the case when there is an existing OID defined in AD. Maybe someone defined the OID as a application policy OID.

    The easiest way to search is to use ADSIEDit focused on the OID container.

    If you OID is 1.3.6.1.4.1.###.3.3

    Then you would search for the last digit as the first character in an OID.

    3.######

    Look in the properties of each OID looking for the OID you want to add.

    Brian

    • Marked as answer by 朱鸿文 Friday, June 7, 2013 5:00 AM
    Monday, May 27, 2013 7:00 PM
  • Thank you Brian for your reply.

    If the OID has already created in the AD. How can I refer it in the certificate template issuance policy?

    Jin

    Monday, May 27, 2013 7:09 PM
  • You have to delete the previously created OID. 

    In a well designed PKI, there are no duplicates <G>. You need to use the procedure I already provided to figure out if the OID exists and what is it used for

    Brian

    • Marked as answer by 朱鸿文 Friday, June 7, 2013 5:00 AM
    Monday, May 27, 2013 8:16 PM
  • Hi Brian,

    Thanks for the reply. I found that OID and deleted it. When I tried to add a new issuance policy with this OID, it says: "Windows cannot save the display name. Insufficient access rights to perform the operation."  What specific access rights do I need?

    Jin

    Friday, May 31, 2013 6:30 PM
  • Hi Brian,

    Thanks for the reply. I found that OID and deleted it. When I tried to add a new issuance policy with this OID, it says: "Windows cannot save the display name. Insufficient access rights to perform the operation."  What specific access rights do I need?

    Jin

    *bump*

    We're getting this as well. We've got a cert-admin user group that we're trying to use to assign certificates and such so they dont' need to be domain admins. I've already assigned that group full control in a couple of containers that they needed for duplicating templates, but where would I assign permissions for this?

    If I recall, there is an OID container and they have full control in it, do they need something extra inside that container or in the one above?

    would appreciate any comments.

    Thanks,


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Tuesday, April 1, 2014 2:16 PM
  • You need to do the permission assignments in the Configuration naming context.

    You can use AD Sites and Service (with the Services container exposed).

    The containers you need for certificate templates are under CN=Public Key Services,CN=Services,CN=Configuration

    CN=Certificate Templates

    CN=OID

    Also, you need to give the user/group Modify permissions on all existing certificate templates.

    Brian

    Tuesday, April 1, 2014 2:19 PM
  • @Brian

    Ya, I did that, i'm waiting on my cert guys to try this out. What I noticed today was that those permissions didn't apply to the objects inside that container. I adjusted the permissions so that it was the OID container and objects inside that container. They are able to create templates with just full control, but when they attempt to create a policy and use it, that's when there is an issue...although as I type this I wonder if the error is actually for the templates...see the policy gets created they just cant' use it....

    i'll tweak the template permissions as well and see what happens.


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Tuesday, April 1, 2014 2:22 PM
  • @Brian

    Thus far it appears my issue was resolved by granting full control to this object and all descendants. I wonder if I could get by with modify or something similar, instead of full control.


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Tuesday, April 1, 2014 2:28 PM
  • You need to do the permission assignments in the Configuration naming context.

    You can use AD Sites and Service (with the Services container exposed).

    The containers you need for certificate templates are under CN=Public Key Services,CN=Services,CN=Configuration

    CN=Certificate Templates

    CN=OID

    Also, you need to give the user/group Modify permissions on all existing certificate templates.

    Brian

    @Brian,

    This is exactly what I just configured and my Cert admins told me they are able to do the work they need to. The only addition I would make is that I think at least on the OID container that you have to allow that permission to apply descendant objects.

    Thanks!


    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Tuesday, April 1, 2014 2:49 PM