I had modeled some post-install scripts after some entries in Brian's book and in response to some topics on this board. I think I took the example policy file too literal. I was playing around with some lab systems today and noticed
that Windows XP SP3 systems had issues verifying the certificate chain; "Wrong Issuer" in certutil -verify -urlfetch. In doing some research and testing, removing the AlternateSignatureAlgorithm in the CAPolicy.inf of my CAs and reissuing
the SubCA resolved the issue. I then read in the online documents that this setting may not work with pre-Server 2008/Win7 Operating Systems. I just want to clarify two things:
If an environment is going to have Windows XP (or even non-Windows) systems, should this setting always remain at 0?
Is this setting only required if using CNG? And if it was required and implemented, would this render XP and non-Windows machines unable to use the CA?
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.