question

naashan-5887 avatar image
0 Votes"
naashan-5887 asked naashan-5887 edited

Remove custom Application Policy from CA

I was trying to create certificate template for Remote Destop Services, and failed on the step:
"Create new Application Policy in Extensions tab, restrict the use scope of the certificate to Remote Desktop Authentication only (enter the following object identifier — 1.3.6.1.4.1.311.54.1.2)
where i didnt put mentioned OID. Now im stuck with this misconfigured policy, and id like to get rid of it since it prevents correct usage of RDS template.
i already tried to delete it using certutil with following result:

certutil -oid 1.3.6.1.4.1.311.21.8.3081414.15871507.15353277.12066773.4369765.211.2631787.3020186 delete
1.3.6.1.4.1.311.21.8.3081414.15871507.15353277.12066773.4369765.211.2631787.3020186 -- Remote Desktop Authentication
pwszName = Remote Desktop Authentication
CRYPT_ENHKEY_USAGE_OID_GROUP_ID (7)
dwValue = 0
CertUtil: -oid command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.

remote-desktop-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered

Hi,
Please check the information below:
Because an Application Policy can be re-used across multiple templates, they are stored in Active Directory. Once an Application Policy is created, it is added to the list to be later re-used but there is no delete option so once an OID is added, it’s there for good. Even after deleting the Application Policy from the template, it remained in the list to select. After a short amount of looking in Active Directory Sites and Services (you could just as equally use ADSI Edit), I found that under the Public Key Services node, there is a Container named OID and sure enough in this container, there is a sub-container for each Application Policy and OID that is created. I deleted the Application Policy and the OID from AD and restarted the CA service to allow it to refresh the data from Active Directory. For reference, here’s what AD Sites and Services looks like when you enable the Services view from the toolbar and navigate down to the OID container.
https://richardjgreen.net/rds-case-of-mistaken-pki-oid/
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

naashan-5887 avatar image
0 Votes"
naashan-5887 answered naashan-5887 edited

Hi,

thanks for the tip, i will just add that naming in mentioned OID container is not obvious. I had to open properties of the record and confirm it on the atribute editor tab. (msPKI-Cert-Template-OID value)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.