This article was previously published under Q283789
The Issuer Statement button is unavailable in the View Certificate dialog box even though a policy statement had been specified in the Capolicy.inf file.
The Certificate Services Setup code constructs a Public-Key Cryptography Standard #10 (PKCS #10) request that contains an array of X.509 extensions that should be included in the issued certificate. If the policy statement is included in a properly formatted Capolicy.inf file located in %SystemRoot%, the policy statement information is included in the request sent to the server.
When the PKCS #10 request is submitted to the certification authority (CA), the CA's policy module must take action to put the policy statement information that is included with the request into the appropriate extension in the certificate.
By design, extensions included in requests are added to the certificate server database, but are not included in the certificate. Certificate Services relies upon its configuration information in the registry to determine exactly which extensions to transfer from a request to the certificate. To check the current settings, perform the following steps:
On the CA that will process requests that have policy statements, start the Cmd.exe program.
Type the following command line, and then press ENTER:
The returned information should look similar to the following:
SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\TestCA\PolicyModules\ CertificateAuthority_MicrosoftDefault.Policy\EnableRequestExtensionList: Old Value: EnableRequestExtensionList REG_MULTI_SZ = 0: 22.214.171.124 Certificate Policies 1: 1.2.840.1135126.96.36.199 SMIME Capabilities 2: 188.8.131.52.4.1.311.21.1 CA Version 3: 184.108.40.206.4.1.311.21.2 Previous CA Certificate Hash New Value: EnableRequestExtensionList REG_MULTI_SZ = 0: 1.2.840.1135220.127.116.11 SMIME Capabilities 1: 18.104.22.168.4.1.311.21.1 CA Version 2: 22.214.171.124.4.1.311.21.2 Previous CA Certificate Hash 3: 126.96.36.199 Key Usage 4: 188.8.131.52 Certificate Policies CertUtil: -setreg command completed successfully.
You may have to restart the CertSvc service for the changes to take effect.
Stop and restart Certificate Services.No special settings are required when you include Certificate Policy information in a root CA certificate. When you install a root CA, all settings that are specified in the Capolicy.inf file are copied into the root CA certificate.
You can also use the Certutil.exe program to verify that the policy statement information is actually included in the request. To observe this information, save the certificate request to a file, and then type the following line at a command prompt:
The returned information should look like the following:
Even though the details can vary, if the 184.108.40.206 section exists, the policy statement information is included in the certificate request. If this section is not included in the request, you must verify the format of the Capolicy.inf file.