The Issuer Statement Specified in the Capolicy.inf File Is Not Included in the Issued Certificate

Article translations Article translations
Article ID: 283789 - View products that this article applies to.
This article was previously published under Q283789
Expand all | Collapse all

SYMPTOMS

The Issuer Statement button is unavailable in the View Certificate dialog box even though a policy statement had been specified in the Capolicy.inf file.

CAUSE

The Certificate Services Setup code constructs a Public-Key Cryptography Standard #10 (PKCS #10) request that contains an array of X.509 extensions that should be included in the issued certificate. If the policy statement is included in a properly formatted Capolicy.inf file located in %SystemRoot%, the policy statement information is included in the request sent to the server.

When the PKCS #10 request is submitted to the certification authority (CA), the CA's policy module must take action to put the policy statement information that is included with the request into the appropriate extension in the certificate.

By design, extensions included in requests are added to the certificate server database, but are not included in the certificate. Certificate Services relies upon its configuration information in the registry to determine exactly which extensions to transfer from a request to the certificate. To check the current settings, perform the following steps:
  1. On the CA that will process requests that have policy statements, start the Cmd.exe program.
  2. Type the following command line, and then press ENTER:
    certutil -v -getreg Policy\EnableRequestExtensionList
  3. The returned information should resemble the following:
    
    EnableRequestExtensionList REG_MULTI_SZ =
    
      0: 2.5.29.37 -- Enhanced Key Usage
      1: 2.5.29.15 -- Key Usage
      2: 2.5.29.17 -- Subject Alternative Name
      3: 1.3.6.1.4.1.311.21.1 -- CA Version
      4: 2.5.29.32 -- Certificate Policies
    						
If the Certificate Policies object identifier (OID) is missing, the policy module does not transfer the policy statement information from the PKCS #10 request to the issued certificate.

RESOLUTION

To resolve this behavior, follow these steps:
  1. On the CA, start the Cmd.exe program.
  2. Type the following command line, and then press ENTER:
    certutil -setreg Policy\EnableRequestExtensionList +"2.5.29.32"
  3. The returned information should look similar to the following:
    SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\TestCA\PolicyModules\ 
         CertificateAuthority_MicrosoftDefault.Policy\EnableRequestExtensionList:
    
       Old Value:
         EnableRequestExtensionList REG_MULTI_SZ =
           0: 2.5.29.32 Certificate Policies
           1: 1.2.840.113549.1.9.15 SMIME Capabilities
           2: 1.3.6.1.4.1.311.21.1 CA Version
           3: 1.3.6.1.4.1.311.21.2 Previous CA Certificate Hash
      
       New Value:
         EnableRequestExtensionList REG_MULTI_SZ =
           0: 1.2.840.113549.1.9.15 SMIME Capabilities
           1: 1.3.6.1.4.1.311.21.1 CA Version
           2: 1.3.6.1.4.1.311.21.2 Previous CA Certificate Hash
           3: 2.5.29.15 Key Usage
           4: 2.5.29.32 Certificate Policies
       CertUtil: -setreg command completed successfully.
    						
    You may have to restart the CertSvc service for the changes to take effect.
  4. Stop and restart Certificate Services. No special settings are required when you include Certificate Policy information in a root CA certificate. When you install a root CA, all settings that are specified in the Capolicy.inf file are copied into the root CA certificate.

MORE INFORMATION

You can also use the Certutil.exe program to verify that the policy statement information is actually included in the request. To observe this information, save the certificate request to a file, and then type the following line at a command prompt:
certutil filename.req
The returned information should look like the following:
    2.5.29.32: Flags = 0, Length = 1e1
    Certificate Policies
        [1]Certificate Policy:
             PolicyIdentifier=1.3.6.1.4.1.311.21.43
             [1,1]Policy Qualifier Info:
                  Policy Qualifier Id=User Notice
                  Qualifier:
                       Notice Text=Legal policy statement text.
        [2]Certificate Policy:
             PolicyIdentifier=1.3.6.1.4.1.311.21.47
             [2,1]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                       http://http.site.com/some%20where/default.asp
             [2,2]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                       ftp://ftp.site.com/some%20where%20else/default.asp
             [2,3]Policy Qualifier Info:
                  Policy Qualifier Id=User Notice
                  Qualifier:
                       Notice Text=Limited use policy statement text.
             [2,4]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                      ldap://ldap.site.com/some%20where%20else%20again/default.asp
        [3]Certificate Policy:
             PolicyIdentifier=1.3.6.1.4.1.311.21.53
             [3,1]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                       http://extra.site.com/Extra%20Policy/default.asp
        [4]Certificate Policy:
             PolicyIdentifier=1.3.6.1.4.1.311.21.55
				
Even though the details can vary, if the 2.5.29.32 section exists, the policy statement information is included in the certificate request. If this section is not included in the request, you must verify the format of the Capolicy.inf file.

Properties

Article ID: 283789 - Last Review: October 31, 2006 - Revision: 2.3
APPLIES TO
  • Microsoft Windows 2000 Service Pack 1
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbenv kbprb KB283789

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com