locked
All Issuance Policies for an intermediate CA RRS feed

  • Question

  • I'm using a 2-tier CA hierarchy, one root CA, one intermediate CA. We need to grant the "All Issuance Policy" to our intermediate CA.

    I've tried creating a CAPolicy.inf like this:

    [Version]
    Signature= "$Windows NT$"

    [PolicyStatementExtension]
    Policies = AllIssuancePolicy
    Critical = FALSE

    [AllIssuancePolicy]
    OID = 2.5.29.32.0

    ... but when I renew the intermediate CA's certificate, I'm not getting a certificate with the "AllIssuancePolicy"...

    This used to work on Windows 2003. Has this been changed for Windows 2008 R2?

    Best regards,


    Jeroen.

    Thursday, November 17, 2011 10:59 AM

Answers

  • Make sure if CAPolicy.inf is located in %windir% folder. In addition, I'm not sure if only OID is allowed. Afaik you need to provide OID and URL (or User notice):

    [AllIssuancePolicy]
    URL = SomeURL
    OID = 2.5.29.32.0

    or:

    [AllIssuancePolicy]
    Notice = Some text (max 511 characters)
    OID = 2.5.29.32.0

    In addition you may need to run the following command on CA server:

    certutil -setreg Policy\EnableRequestExtensionList +"2.5.29.32"
    net stop certsvc && net start certsvc


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Thursday, November 17, 2011 1:01 PM

All replies

  • Make sure if CAPolicy.inf is located in %windir% folder. In addition, I'm not sure if only OID is allowed. Afaik you need to provide OID and URL (or User notice):

    [AllIssuancePolicy]
    URL = SomeURL
    OID = 2.5.29.32.0

    or:

    [AllIssuancePolicy]
    Notice = Some text (max 511 characters)
    OID = 2.5.29.32.0

    In addition you may need to run the following command on CA server:

    certutil -setreg Policy\EnableRequestExtensionList +"2.5.29.32"
    net stop certsvc && net start certsvc


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Thursday, November 17, 2011 1:01 PM
  •  

    In Windows 2008 R2 some slight changes have been made that most likely affect the way how Issuance Policies are evaluated.

    Could you please test if the following flags resolve your issue

     

    Run the following command at the CA and restart the CA service

    ·         certutil –setreg CA\CRLFlags +CRLF_IGNORE_INVALID_POLICIES

    net stop certsvc

    net start certsvc

    ·         Try to issue an end-entity certificate with Issuance Policies

     

    (Only) In case this does not help use the following flag

    ·         certutil –setreg CA\CRLFlags +CRLF_DISABLE_CHAIN_VERIFICATION

    net stop certsvc

    net start certsvc

    ·         Try to issue an end-entity certificate with Issuance Policies

     

     See if the below articles helps you in resolving the issue.

    http://technet.microsoft.com/en-us/library/dd299871(WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc736786(WS.10).aspx


    Regards, Vinod H ----------------------------------------------------------- Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, November 17, 2011 1:08 PM
  •  

    In Windows 2008 R2 some slight changes have been made that most likely affect the way how Issuance Policies are evaluated.

    Could you please test if the following flags resolve your issue

     

    Run the following command at the CA and restart the CA service

    ·         certutil –setreg CA\CRLFlags +CRLF_IGNORE_INVALID_POLICIES

    net stop certsvc

    net start certsvc

    ·         Try to issue an end-entity certificate with Issuance Policies

     

    (Only) In case this does not help use the following flag

    ·         certutil –setreg CA\CRLFlags +CRLF_DISABLE_CHAIN_VERIFICATION

    net stop certsvc

    net start certsvc

    ·         Try to issue an end-entity certificate with Issuance Policies

     

     See if the below articles helps you in resolving the issue.

    http://technet.microsoft.com/en-us/library/dd299871(WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc736786(WS.10).aspx


    Regards, Vinod H ----------------------------------------------------------- Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Sorry, but your solution is just a temporary workaround and no more. These settings should not be used in a production environment.
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Thursday, November 17, 2011 1:24 PM
  • This did the trick!

    Thank you very much :)

    Thursday, November 17, 2011 1:34 PM
  • This did the trick!

    Thank you very much :)


    what exactly?
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Thursday, November 17, 2011 1:37 PM
  • OK, Let me be a little more specific.

    • "Certutil -Getreg Policy" revealed that indeed the extension list "2.5.29.32" was not in there, so the root CA would never issue a certificate with this policy.
    • the CAPolicy.inf needed a "Notice" or "URL" to put the extension in the request file.

    So basically, both of your options were needed. (I knew the CAPolicy.inf needed to be in %windir%)

    Thanks again :)

     

    -- Jeroen.

    Thursday, November 17, 2011 2:01 PM