locked
Invalid Issuance Policy for Extended Validation Certificate Template Windows Server 2012 R2 RRS feed

  • Question

  • Hi Team,

    I need assistance, i have created an extended validation CA using the link http://richardjgreen.net/extended-validation-ev-internal-certificate-authority/

    Unfortunately when i try to enroll the certificate template i get below error on the CA,

    Active Directory Certificate Services denied request 6 because The certificate has invalid policy. 0x800b0113 (-2146762477 CERT_E_INVALID_POLICY).  The request was for CN=pkitest.nlab.sec, OU=ICT, O=SEC, C=US.  Additional information: Error Constructing or Publishing Certificate  Invalid Issuance Policies:  1.3.6.1.4.1.311.21.8.14018552.7350061.16666553.16755177.581348.68.15095729.8851883

    Regards

    Thursday, August 11, 2016 9:17 AM

Answers

  • This is a known issue with Server 2012 R2. Listed in my ADCS Hotfix list: https://pkisolutions.com/2012r2hotfixes/. Take a look at https://support.microsoft.com/en-us/kb/2962991

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    Thursday, August 11, 2016 4:08 PM
  • As I mentioned above, your subordinate CA either needs to be renewed/configured with All Issuance Policies in its extension of it's CA certificate, or you need to ensure the appropriate Issuance Policies and OIDs (such as this EV Issuance Policy) are asserted in the subordinate CA certificate. By default, since Server 2008 R2, only Root CAs are configured by default for All Issuance Policies. That means all subordinates are essentially unable to issue anything with an Issuance Policy. So whether it's this EV Issuance Policy or a Low/Medium/High Assurance Policy, the CA will be unable to issue a certificate with a template asserting an Issuance Policy. 

    To enable All Issuance Policies, your CA needs to be installed, or renewed, with a CA Policy that looks like the one below. Note this is not for everyone, as it will enable the CA to issue any template with any issuance policies. So it should only be used in this default syntax if you aren't using any other issuance policies.

    [Version]
    Signature= "$Windows NT$"

    [PolicyStatementExtension]
    Policies = AllIssuancePolicy
    Critical = FALSE

    [AllIssuancePolicy]
    OID = 2.5.29.32.0


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Proposed as answer by Amy Wang_ Wednesday, September 7, 2016 9:47 AM
    • Marked as answer by Amy Wang_ Monday, September 12, 2016 1:33 AM
    Tuesday, September 6, 2016 4:26 PM

All replies

  • This is a known issue with Server 2012 R2. Listed in my ADCS Hotfix list: https://pkisolutions.com/2012r2hotfixes/. Take a look at https://support.microsoft.com/en-us/kb/2962991

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    Thursday, August 11, 2016 4:08 PM
  • Hi Mark,

    Thank you, i went through your site 

    However i am somewhere left out, we do not Use OCSP in our environment, it is just a normal Web server certificate template  (With custom Extended Validation policy) enrolment.

    Microsoft did not provide any fix on this. is there any workaround for the same?

    Regards,


    Thursday, August 11, 2016 10:48 PM
  • The same issue applies to any asserted Issuance Policies, whether it is OCSP or not. So you would need to ensure your CA certificates assert your EV OID as well.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com


    Thursday, August 11, 2016 10:51 PM
  • Mark,

    Thanks for your help.

    Regards,

    Friday, August 12, 2016 8:04 AM
  • I'm also seeing the same issue, two tier pki (offline root and online issuing ca) the Root and Issuing certs are pushed out via GPO and have the EV OID added to both their properties.  The Webserver template was duplicated (v4) (updated for ksp/sha2/key size etc) and Issuance Policy added to the template then added for deployment via the issuing CA.

    Anyone any idea what I've missed (same error as OP)?

    Thanks,

    Peter

    Monday, September 5, 2016 2:09 PM
  • As I mentioned above, your subordinate CA either needs to be renewed/configured with All Issuance Policies in its extension of it's CA certificate, or you need to ensure the appropriate Issuance Policies and OIDs (such as this EV Issuance Policy) are asserted in the subordinate CA certificate. By default, since Server 2008 R2, only Root CAs are configured by default for All Issuance Policies. That means all subordinates are essentially unable to issue anything with an Issuance Policy. So whether it's this EV Issuance Policy or a Low/Medium/High Assurance Policy, the CA will be unable to issue a certificate with a template asserting an Issuance Policy. 

    To enable All Issuance Policies, your CA needs to be installed, or renewed, with a CA Policy that looks like the one below. Note this is not for everyone, as it will enable the CA to issue any template with any issuance policies. So it should only be used in this default syntax if you aren't using any other issuance policies.

    [Version]
    Signature= "$Windows NT$"

    [PolicyStatementExtension]
    Policies = AllIssuancePolicy
    Critical = FALSE

    [AllIssuancePolicy]
    OID = 2.5.29.32.0


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Proposed as answer by Amy Wang_ Wednesday, September 7, 2016 9:47 AM
    • Marked as answer by Amy Wang_ Monday, September 12, 2016 1:33 AM
    Tuesday, September 6, 2016 4:26 PM
  • Hi,

    Sorry I thought i'd replied back to this.  I worked out what my issue was, having had a previous Issuing CAPolicy.info of - 

    [Version]
    Signature="$Windows NT$"
    [PolicyStatementExtension]
    Policies = InternalPolicy
    [Certsrv_Server]
    CRLPeriod=Days
    CRLPeriodUnits=3
    LoadDefaultTemplates=0
    [InternalPolicy]
    OID=1.3.6.1.4.1.x.x.x.x
    Notice="Legal Policy Statement"
    URL=http://pki.domain.com/pki/cps.txt

    When I switched it to 

    Policies = AllIssuancePolicy

    I had forgotten to move the OID/Notice/URL into the following section from the [InternalPolicy] one

    Which meant my CAPolicy.info now looks like this - 

    [Version]
    Signature="$Windows NT$"
    [PolicyStatementExtension]
    Policies = AllIssuancePolicy
    Critical = FALSE
    [Certsrv_Server]
    CRLPeriod=Days
    CRLPeriodUnits=3
    LoadDefaultTemplates=0
    [AllIssuancePolicy]
    OID=1.3.6.1.4.1.x.x.x.x
    Notice="Legal Policy Statement"
    URL=http://pki.domain.com/pki/cps.txt

    Before I was getting errors CERTSRV_E_TEMPLATE_DENIED and then CERT_E_INVALID_POLICY.  FYI, if you want the cert not to say "Unknown [?]" in the IE browser bar add an Organisation and any other details you want.

    Thanks for the help and hopefully the CAPolicy.info helps someone else here.

    Tuesday, September 20, 2016 1:06 PM