locked
Two tier PKI on Win2k12 ADCS: Invalid Issuance Policies RRS feed

  • Question

  • I've been working on implementing a PKI based on Win2k12 Core. It's a two tier with an offline root and an issuing CA in failover cluster setup. This works great as long as I don't add any issuance policies in my templates. As per http://kazmierczak.eu/itblog/2012/08/22/the-dos-and-donts-of-pki-microsoft-adcs/ as a guide I even got a PEN from IANA. I've tried several installations of the CAs with different CAPolicy.inf settings to try and convince ADCS to accept these custom OIDs.

    Current Root CA CAPolicy.inf

    [Version]
    Signature = "$Windows NT$"
    
    [AuthorityInformationAccess]
    Empty = true
    
    [CRLDistributionPoint]
    Empty = true
    
    [BasicConstraintsExtension]
    critical=true
    IsCA=true
    
    [certsrv_server]
    ProviderName="RSA#Microsoft Software Key Storage Provider" ; standard Microsoft CSP
    RenewalKeyLength=4096
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=8
    CRLPeriod=Years
    CRLPeriodUnits=6
    CRLOverlapUnits=1
    CRLOverlapPeriod=months
    CRLDeltaPeriodUnits=0
    CRLDeltaPeriod=days
    LoadDefaultTemplates=0

    As you can see I haven't asserted any policies in there. But I've tried different variations, even included all the policies I've also asserted below in de issuing CA's capolicy.inf to no avail.

    Issuing CA CAPolicy.inf

    [Version]
    Signature = "$Windows NT$"
    
    [AuthorityInformationAccess]
    
    [CRLDistributionPoint]
    
    [BasicConstraintsExtension]
    Pathlength = 0
    Critical = true
    
    [certsrv_server]
    RenewalKeyLength=4096
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=4
    
    CRLPeriod=Days
    CRLPeriodUnits=7
    CRLDeltaPeriod=Days
    CRLDeltaPeriodUnits=1
    ClockSkewMinutes=20
    
    LoadDefaultTemplates=False
    
    [PolicyStatementExtension] 
    Policies=SecurityPolicy,CertificatePolicy,CertificatePracticeStatement
    
    [SecurityPolicy]
    OID=1.3.6.1.4.1.[PEN].509.1
    URL=http://pki.xxxx.nl/pki/PKI-xxxx_SP.pdf
    
    [CertificateStatement] 
    OID=1.3.6.1.4.1.[PEN].509.2
    URL=http://pki.xxxx.nl/pki/PKI-xxxx_CS.pdf
    
    [CertificatePracticeStatement] 
    OID=1.3.6.1.4.1.[PEN].509.10.10.1
    URL=http://pki.xxxx.nl/pki/PKI-xxxx_CPS.pdf
    
    [NameConstraintsExtension]
    Include = NameConstraintsPermitted
    Exclude = NameConstraintsExcluded
    Critical = True
    
    [NameConstraintsPermitted]
    DNS = ".xxxx.nl"
    DNS = ".yyyy.nl"
    DNS = ".zzzz.nl"
    email= ".xxxx.nl"
    email= ".yyyy.nl"
    email = ".zzzz.nl"
    UPN= ".xxxx.nl"
    UPN= ".yyyy.nl"
    UPN = ".zzzz.nl"
    UPN= "@xxxx.nl"
    UPN= "@yyyy.nl"
    UPN = "@zzzz.nl"
    URL="http://.xxxx.nl"
    URL="http://.yyyy.nl"
    URL="http://.zzzz.nl"
    DIRECTORYNAME="DC=xxxx,dc=nl"
    DIRECTORYNAME="DC=yyyy,dc=nl"
    DIRECTORYNAME="DC=zzzz,dc=nl"
    
    [NameConstraintsExcluded]

    The error message the CA spits out when I try to get myself a webserver certificate issued is:

    Error Constructing or Publishing Certificate Invalid Issuance Policies: 1.3.6.1.4.1.[PEN].509.10.10.1

    Whatever I try I can't get rid of it. I'm basically at the end of what I can think of to get this PKI thing to work short of not using an issuance policy in my templates at all or +CRLF_IGNORE_INVALID_POLICIES on the issuing CA. The only option I haven't tried is installing CAs with the AllIssuancePolicy OID (2.5.29.32.0). But darnit, I shouldn't have to.

    I know it's a lot to ask, but after a week of messing with this, reading and trying to understand everything I can find about it, I'm getting tired of it: Is there a simple to follow step-by-step howto available on how to get these friggen custom OIDs to work properly in a Microsoft ADCS? I can't seem to puzzle it together using technet, these forums or google. It seems to be a black art or somesuch.

    Friday, August 21, 2015 7:40 AM

Answers

  • That's the long version of "make sure everything matches in capolicy.inf", indeed. I took a long hard look at the generated Issuing CA certificate and eventually I noticed there were no (none, zero) Issuance policies asserted in it.

    So if there's an error in capolicy.inf pertaining the issuance policies, as the one I made, none of them are asserted.

    Wednesday, August 26, 2015 7:53 AM

All replies

  • On Fri, 21 Aug 2015 07:40:15 +0000, PolarWolf wrote:

    I know it's a lot to ask, but after a week of messing with this, reading and trying to understand everything I can find about it, I'm getting tired of it: Is there a simple to follow step-by-step howto available on how to get these friggen custom OIDs to work properly in a Microsoft ADCS? I can't seem to puzzle it together using technet, these forums or google. It seems to be a black art or somesuch.

    What issuance policies does your root CA assert?


    Paul Adare - FIM CM MVP

    Friday, August 21, 2015 11:44 AM
  • On Fri, 21 Aug 2015 07:40:15 +0000, PolarWolf wrote:

    I know it's a lot to ask, but after a week of messing with this, reading and trying to understand everything I can find about it, I'm getting tired of it: Is there a simple to follow step-by-step howto available on how to get these friggen custom OIDs to work properly in a Microsoft ADCS? I can't seem to puzzle it together using technet, these forums or google. It seems to be a black art or somesuch.

    What issuance policies does your root CA assert?


    Paul Adare - FIM CM MVP


    Currently, none (based on an answer I distilled from the forums here). But I've tried several varieties, including all of polices the Issuing CA also asserts.
    Friday, August 21, 2015 1:46 PM
  • can you, please, attach your root and issuing CA certificates?


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Sunday, August 23, 2015 8:43 AM
  • So yeah...

    It took me a week and a bit but I finally discovered there's a bit of an obvious error in my Issuing CA's capolicy.inf.

    [PolicyStatementExtension] 
    Policies=SecurityPolicy,CertificatePolicy,CertificatePracticeStatement
    
    [SecurityPolicy]
    OID=1.3.6.1.4.1.[PEN].509.1
    URL=http://pki.xxxx.nl/pki/PKI-xxxx_SP.pdf
    
    [CertificateStatement] 
    OID=1.3.6.1.4.1.[PEN].509.2
    URL=http://pki.xxxx.nl/pki/PKI-xxxx_CS.pdf
    
    [CertificatePracticeStatement] 
    OID=1.3.6.1.4.1.[PEN].509.10.10.1
    URL=http://pki.xxxx.nl/pki/PKI-xxxx_CPS.pdf

    I fixed the "Policies" under [PolicyStatementExtension] to actually reference the correct definition and all started working all of a sudden.

    D'Oh

    Tuesday, August 25, 2015 2:31 PM
  • Hello PolarWolf,

    In short when defining one or more policies that apply in the CAPolicy.inf file you should be careful for typos in the section and policy names. The engine does not perform checks and if there is invalid syntax the section will be omitted and more to the next line.

    In your code the names of the policies defined in the [PolicyStatementExtension] should match the each policy section. Thus to have all issuance policies embedded in the certificate you should use the same names in the actual policy section[ ].

    In your code block you reference CertificatePolicy, but below you reference [CertificateStatement]. Do you have 2 or 3 issuance policies once the CA is up and running? I am curious but I have no access to prepared machine to test :)

    Tuesday, August 25, 2015 7:24 PM
  • That's the long version of "make sure everything matches in capolicy.inf", indeed. I took a long hard look at the generated Issuing CA certificate and eventually I noticed there were no (none, zero) Issuance policies asserted in it.

    So if there's an error in capolicy.inf pertaining the issuance policies, as the one I made, none of them are asserted.

    Wednesday, August 26, 2015 7:53 AM
  • Good morning PolarWolf,

    Today I created new test CA in my PKI lab and installed new Enterprise Issuing CA using your CAPolicy.inf file, just modifying the policies names to match. The result was CA Certificate containing the issuance policies with proper URL redirection when clicking on the "Issuer Statement" button.

    What you can check:

    • Do you have the policies in the request file as I do by checking it with certutil?
    • Once the request is submitted to the signing certificate authority, do you have the Certificate policies listing all three in the value section?
    [PolicyStatementExtension] 
    Policies=SecurityPolicy,CertificatePolicy,CertificatePracticeStatement
    
    [SecurityPolicy]
    OID=1.3.6.1.4.1.999999.509.1
    URL=http://pki.xxxx.nl/pki/PKI-xxxx_SP.pdf
    
    [CertificatePolicy] 
    OID=1.3.6.1.4.1.999999.509.2
    URL=http://pki.xxxx.nl/pki/PKI-xxxx_CS.pdf
    
    [CertificatePracticeStatement] 
    OID=1.3.6.1.4.1.999999.509.10.10.1
    URL=http://pki.xxxx.nl/pki/PKI-xxxx_CPS.pdf

    Thursday, August 27, 2015 7:53 AM
  • Aleksandar,

    You can stop working on this. PolarWolf had found and corrected his problem even before your first response to this thread.

    Thursday, August 27, 2015 8:10 AM
  • Hi Polar Wolf,

    I have request from my client.... i need to enable Extended validation in existing CA setup... but in my CA setup there is no CApolicy.inf file.... Also i am very new to this CA technology..... if possible can you please share me your step by step document ...like how to configure the CA policy.inf .. How to configure the Extended validation...

    Regards,

    Saravanan.K

    Monday, August 14, 2017 2:55 PM