none
How to add custom policy in Sub CA certificate, in Intended for following purpose section RRS feed

  • Question

  • By Default a Sub CA certificate have " . All application policies" in Intended for following purpose section on certificate.

    How to add one more policy in here, something like below. Also attached image for reference. Any help is much appreciated. Thanks in advance.

    " . All application policies

      . XYZ application policies

    "

    Thursday, September 12, 2019 9:39 AM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    Where do we see the above screenshot? Is it from your AD environment?

    In my one tier CA, I can see:

    In my two tier CA, I can see:






    After a lot of research, I am sorry, I can not find such method to add one more intended purpose policy on sub CA.


    But for other certificates issued using certificate template, we can set it in certificate template Properties-> Extensions tab->Application policies->Edit





    Best Regards,
    Daisy Zhou 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 13, 2019 8:58 AM
    Moderator
  • The screenshot I shared is Sub-CA certificate. Its 2 tier PKI environment.
    Friday, September 13, 2019 11:33 AM
  • You cannot add another policy when the All Application Policies extension exists for application policies (all includes the one you added).

    If you want to designate specific application policies, they must each be individually added in the CAPolicy.inf file (in %windir%) prior to generating the SubCA request.

    See https://blogs.technet.microsoft.com/pki/2014/03/05/constraints-what-they-are-and-how-theyre-used/ in the Apply application Policy section

    [ApplicationPolicyStatementExtension]

    Policies = AppEmailPolicy, AppCodeSignPolicy, AppClAuthPolicy, AppSeAuthPolicy

    CRITICAL = FALSE

     

    [AppEmailPolicy]

    OID = 1.3.6.1.5.5.7.3.4 ; Secure Email

    [AppCodeSignPolicy]

    OID = 1.3.6.1.5.5.7.3.3 ; Code Signing

    [AppClAuthPolicy]

    OID = 1.3.6.1.5.5.7.3.2 ; Client Authentication

    [AppSeAuthPolicy]

    OID = 1.3.6.1.5.5.7.3.1 ; Server Authentication

    HTH

    Brian

    Friday, September 13, 2019 4:11 PM
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 16, 2019 1:21 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.

    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 18, 2019 2:05 AM
    Moderator