The Issuer Statement Specified in the Capolicy.inf File Is Not Included in the Issued Certificate (283789)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Advanced Server SP1
This article was previously published under Q283789

SYMPTOMS

The Issuer Statement button is unavailable in the View Certificate dialog box even though a policy statement had been specified in the Capolicy.inf file.

CAUSE

The Certificate Services Setup code constructs a Public-Key Cryptography Standard #10 (PKCS #10) request that contains an array of X.509 extensions that should be included in the issued certificate. If the policy statement is included in a properly formatted Capolicy.inf file located in %SystemRoot%, the policy statement information is included in the request sent to the server.

When the PKCS #10 request is submitted to the certification authority (CA), the CA's policy module must take action to put the policy statement information that is included with the request into the appropriate extension in the certificate.

By design, extensions included in requests are added to the certificate server database, but are not included in the certificate. Certificate Services relies upon its configuration information in the registry to determine exactly which extensions to transfer from a request to the certificate. To check the current settings, perform the following steps:
  1. On the CA that will process requests that have policy statements, start the Cmd.exe program.
  2. Type the following command line, and then press ENTER:

    certutil -v -getreg Policy\EnableRequestExtensionList

  3. The returned information should resemble the following:

    
EnableRequestExtensionList REG_MULTI_SZ =

  0: 2.5.29.37 -- Enhanced Key Usage
  1: 2.5.29.15 -- Key Usage
  2: 2.5.29.17 -- Subject Alternative Name
  3: 1.3.6.1.4.1.311.21.1 -- CA Version
  4: 2.5.29.32 -- Certificate Policies

If the Certificate Policies object identifier (OID) is missing, the policy module does not transfer the policy statement information from the PKCS #10 request to the issued certificate.

RESOLUTION

To resolve this behavior, follow these steps:
  1. On the CA, start the Cmd.exe program.
  2. Type the following command line, and then press ENTER:

    certutil -setreg Policy\EnableRequestExtensionList +"2.5.29.32"

  3. The returned information should look similar to the following: 
    SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\TestCA\PolicyModules\ 
     CertificateAuthority_MicrosoftDefault.Policy\EnableRequestExtensionList:

   Old Value:
     EnableRequestExtensionList REG_MULTI_SZ =
       0: 2.5.29.32 Certificate Policies
       1: 1.2.840.113549.1.9.15 SMIME Capabilities
       2: 1.3.6.1.4.1.311.21.1 CA Version
       3: 1.3.6.1.4.1.311.21.2 Previous CA Certificate Hash
  
   New Value:
     EnableRequestExtensionList REG_MULTI_SZ =
       0: 1.2.840.113549.1.9.15 SMIME Capabilities
       1: 1.3.6.1.4.1.311.21.1 CA Version
       2: 1.3.6.1.4.1.311.21.2 Previous CA Certificate Hash
       3: 2.5.29.15 Key Usage
       4: 2.5.29.32 Certificate Policies
   CertUtil: -setreg command completed successfully.
    You may have to restart the CertSvc service for the changes to take effect.
  4. Stop and restart Certificate Services. No special settings are required when you include Certificate Policy information in a root CA certificate. When you install a root CA, all settings that are specified in the Capolicy.inf file are copied into the root CA certificate.

MORE INFORMATION

You can also use the Certutil.exe program to verify that the policy statement information is actually included in the request. To observe this information, save the certificate request to a file, and then type the following line at a command prompt:

certutil filename.req

The returned information should look like the following: 
    2.5.29.32: Flags = 0, Length = 1e1
    Certificate Policies
        [1]Certificate Policy:
             PolicyIdentifier=1.3.6.1.4.1.311.21.43
             [1,1]Policy Qualifier Info:
                  Policy Qualifier Id=User Notice
                  Qualifier:
                       Notice Text=Legal policy statement text.
        [2]Certificate Policy:
             PolicyIdentifier=1.3.6.1.4.1.311.21.47
             [2,1]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                       http://http.site.com/some%20where/default.asp
             [2,2]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                       ftp://ftp.site.com/some%20where%20else/default.asp
             [2,3]Policy Qualifier Info:
                  Policy Qualifier Id=User Notice
                  Qualifier:
                       Notice Text=Limited use policy statement text.
             [2,4]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                      ldap://ldap.site.com/some%20where%20else%20again/default.asp
        [3]Certificate Policy:
             PolicyIdentifier=1.3.6.1.4.1.311.21.53
             [3,1]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                       http://extra.site.com/Extra%20Policy/default.asp
        [4]Certificate Policy:
             PolicyIdentifier=1.3.6.1.4.1.311.21.55
Even though the details can vary, if the 2.5.29.32 section exists, the policy statement information is included in the certificate request. If this section is not included in the request, you must verify the format of the Capolicy.inf file.
Modification Type:MinorLast Reviewed:1/27/2006
Keywords:kbenv kbprb KB283789
©2004 Microsoft Corporation. All rights reserved.