This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 5%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Hello Everyone,
Recently I have renewed my Issuing CA certificate. To be specific, I have just signed the cert and yet to install on CA.
While comparing the attributes of current CA cert & renewed CA cert, i found "Certificate Policies" attribute is missing and "Issuer Statement" option is grayed out on the renewed CA cert.
Went back to CA and found CAPolicy.inf file was missing within C:\Windows directory.
Question set A-
Question set B -
Please also guide me if any other issue that may encounter.
Thanks!
Abdul
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Abdul Khadar ,
Thank you for posting here.
Hope the information Crypt32 provided is helpful.
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.
Best Regards,
Daisy Zhou
Hello @Abdul Khadar ,
Good day!
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
Can i install the renewed CA cert as-is (without having "Certificate Policies" attribute injected within it) ?
yes, you can install it. But certificate will not have certificate policies.
While installing the renewed CA cert, will the CA look for CAPolicy.inf file ?
no. CA looks for CAPolicy.inf only during renewal request generation.
Will the renewal fail if CAPolicy.inf file is not updated within C:\Windows directory ?
CAPolicy.inf file is not required. Though, it is often used on issuing CAs to define custom extensions for CA certificate, like certificate policies.
Post installation, will it create any issue to end users ?
Does any application is configured to look at policies? If not, then there will be no issues. And you must remove certificate policies extension from certificate templates if configured. If CA certificate doesn't have certificate policies extension, then it cannot add certificate policies extension in issued certificates.
Can I place the CApolicy.inf file in C:\windows directory and regenerate the CSR and sign it again ?
yes. However, you must complete current certificate renewal before you get a chance to generate new request.
I will be renewing certificate with same key.
no, this is absolutely a bad idea. CA certificates shall always generate new key pair.
So will it bump the CA version number again ?
yes.
Hi,
Thanks for your reply.
Can I place the CApolicy.inf file in C:\windows directory and regenerate the CSR and sign it again ?
yes. However, you must complete current certificate renewal before you get a chance to generate new request.
With respect to the above comment - I have the option to generate a new CSR before installing the renewed certificate.
We are using windows 2016 platform and I have tested the same in my lab. Able to generate new CSR without completing the current certificate renewal.
Got the new CSR signed by Root CA and observed the CA version number remained the same (did not bump)
Can you help me explain why it is needed to complete the renewal first & then regenerate CSR again having CAPolicy.inf in place ?
I have the option to generate a new CSR before installing the renewed certificate.
I know, but there is a known issue that if you miss CA certificate installation, CA may complain about incorrect CA Version extension value. So I would recommend to complete current renewal and start again.
Hi,
Sorry for late reply.
Just wanted to share the news that I have managed to renew the CA certificate by skipping the current renewal.
Testing performed –
Built a new Test CA having CAPolicy.inf file in place. Able to see “Issuer statement” and “Certificate Policies” extension in CA certificate.
• Removed the CAPolicy.inf file from C:\Windows directory. Regenerated the CSR and signed from Test Root CA. Observed below –
o Issuer statement is greyed
o Certificate policies extension is missing
o CA version is V1.0
• Next, copied the CAPolicy.inf file back to C:\Windows directory. Regenerated the CSR and signed from Test Root CA. Observed below –
o Issuer statement is enabled
o Certificate policies extension is added
o CA version remained the same V1.0 (did not bump)
Note – The latest certificate was installed on Issuing CA, skipping the previously generated CA cert. No issues observed during installation. Post installation I was able to publish CRL, Issue new certificate manually and also auto-enrolment is working fine.
Thank you @Vadims Podāns for your support and guidance.
Regards,
Abdul