policy statement information specified in CAPolicy.inf not in requ

January 24, 2009

For testing, I need to create a 3-Tier CA hierarchy with Windows Server 2003

Enterprise Edition, following the procedures for the Contoso example

described

in " Best Practises for Implementing a Microsoft Windows Server 2003 Public

Key Infrastructure".

During configuration, I encountered a problem in creating a Certificate

request for the Intermediate CA (the 2nd tier Policy CA):

The policy statement information specified in CAPolicy.inf file located in

%SystemRoot% is not included with the request.

I verified that CAPolicy.inf has the correct syntax, according to the

document:

[Version]

Signature= "$Windows NT$"

[PolicyStatementExtension]

Policies = AllIssuancePolicy

Critical = FALSE

[AllIssuancePolicy]

OID = 2.5.29.32

The problem is not fixed even after I used the instruction:

certutil -setreg Policy\EnableRequestExtensionList "+2.5.29.32"

Thank you in advance for your help.

January 24, 2009

For the all issuance policies listing, you do not need to put it in the

CAPOlicy.inf file. This is automatically populated when you do not include

custom policies.

Brian

"Saratoga" <Saratoga@discussions.microsoft.com> wrote in message

news:D7C6C213-6E17-431F-947D-1656C7BDD794@microsoft.com...

> For testing, I need to create a 3-Tier CA hierarchy with Windows Server

> 2003

> Enterprise Edition, following the procedures for the Contoso example

> described

> in " Best Practises for Implementing a Microsoft Windows Server 2003

> Public

> Key Infrastructure".

>

> During configuration, I encountered a problem in creating a Certificate

> request for the Intermediate CA (the 2nd tier Policy CA):

> The policy statement information specified in CAPolicy.inf file located in

> %SystemRoot% is not included with the request.

>

> I verified that CAPolicy.inf has the correct syntax, according to the

> document:

> [Version]

> Signature= "$Windows NT$"

>

> [PolicyStatementExtension]

> Policies = AllIssuancePolicy

> Critical = FALSE

>

> [AllIssuancePolicy]

> OID = 2.5.29.32

>

> The problem is not fixed even after I used the instruction:

> certutil -setreg PolicyEnableRequestExtensionList "+2.5.29.32"

>

> Thank you in advance for your help.

January 26, 2009

Re: policy statement information specified in CAPolicy.inf not in

Hi Brian,

Thank you for your response.

As the Contoso example, my 2-tier Policy CAs don't use Active Directory.

According to the document descirbed for the example, it emphasizes that the

certificate policies section must appear in the certificate request:

"The most important aspect of the capolicy.inf procedure is to allow all

issuance policies at the intermediate level. A root CA always issues a SubCA

certificate with all issuance policies allowed. At the intermediate CA level,

this attribute must be set explicitly, otherwise it would allow all

application policies but no issuing policies. An issuing CA cannot define any

issuing policy if the CA certificate does not permit issuing of certificates."

Isn't that true as the above text warned? I am afraid there could be a

problem for the issuing CA.

"Brian Komar (MVP)" wrote:

> For the all issuance policies listing, you do not need to put it in the

> CAPOlicy.inf file. This is automatically populated when you do not include

> custom policies.

> Brian

>

> "Saratoga" <Saratoga@discussions.microsoft.com> wrote in message

> news:D7C6C213-6E17-431F-947D-1656C7BDD794@microsoft.com...

> > For testing, I need to create a 3-Tier CA hierarchy with Windows Server

> > 2003

> > Enterprise Edition, following the procedures for the Contoso example

> > described

> > in " Best Practises for Implementing a Microsoft Windows Server 2003

> > Public

> > Key Infrastructure".

> >

> > During configuration, I encountered a problem in creating a Certificate

> > request for the Intermediate CA (the 2nd tier Policy CA):

> > The policy statement information specified in CAPolicy.inf file located in

> > %SystemRoot% is not included with the request.

> >

> > I verified that CAPolicy.inf has the correct syntax, according to the

> > document:

> > [Version]

> > Signature= "$Windows NT$"

> >

> > [PolicyStatementExtension]

> > Policies = AllIssuancePolicy

> > Critical = FALSE

> >

> > [AllIssuancePolicy]

> > OID = 2.5.29.32

> >

> > The problem is not fixed even after I used the instruction:

> > certutil -setreg PolicyEnableRequestExtensionList "+2.5.29.32"

> >

> > Thank you in advance for your help.

>

>

April 28, 2009

Re: policy statement information specified in CAPolicy.inf not in

Hi- I am running into the exact same problem. I thought that the All

issuance policies listing might be the default if not specified in the

CAPolicy.inf, so I rebuilt my offline Policy CA and left the entry out of the

CAPolicy.inf file... However, the certificate that the RootCa issues to the

SubCA STILL does not contain the bullet for "All issuance policies;" only for

"All application policies."

I'm not even sure this is a problem, but as Saratoga was saying, the

validation steps in the Best Practices guide say it should be there. Should

it be, and what would it mean downstream (on the issuing CAs) if it weren't?

Thanks in advance for any help-

Greg