How to permit all issuing policies on intermediate CAs in Windows Server 2003 (842010)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition

SUMMARY

By default, an intermediate certification authority (CA) does not permit issuing policies for itself or for subordinate CAs. However, in some circumstances, you may want to configure the intermediate CA to permit all issuing policies.

MORE INFORMATION

To configure the intermediate CA to permit all issuing policies, you must modify the CApolicy.inf file. To modify the CApolicy.inf file, follow these steps.

Note The CApolicy.inf file is located in the %SystemRoot% folder.
  1. Open the CApolicy.inf file in Notepad. If the CApolicy.inf file does not exist, create the file.
  2. Add the following lines after the [Version] section:

    [PolicyStatementExtension]
    Policies = AllIssuancePolicy
    Critical = FALSE

    [AllIssuancePolicy]
    OID = 2.5.29.32.0

  3. On the File menu, click Save.
  4. On the File menu, click Exit.
  5. Click Start, point to Administrative Tools, and then click Services.
  6. Stop and then restart the Certificate Services service.
If you created a new CApolicy.inf file, the saved file is similar to the following:

[Version]
Signature= "$Windows NT$"

[PolicyStatementExtension]
Policies = AllIssuancePolicy
Critical = FALSE

[AllIssuancePolicy]
OID = 2.5.29.32.0

REFERENCES

For additional information about the CApolicy.inf file, see the following section in the Microsoft Windows 2000 online Help documentation:

Security\Public Key Infrastructure\Certificate Services\Concepts\Using Certificate Services\Installing and configuring a certification authority

Modification Type:MinorLast Reviewed:7/8/2005
Keywords:kbCertServices kbSecurity kbhowto kbinfo KB842010 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.