"Certificate Policies" attribute is missing and "Issuer Statement" option is grayed out on the renewed CA cert

asked 2020-08-20T17:55:42.023+00:00
Abdul Khadar 21 Reputation points

Hello Everyone,

Recently I have renewed my Issuing CA certificate. To be specific, I have just signed the cert and yet to install on CA.
While comparing the attributes of current CA cert & renewed CA cert, i found "Certificate Policies" attribute is missing and "Issuer Statement" option is grayed out on the renewed CA cert.

Went back to CA and found CAPolicy.inf file was missing within C:\Windows directory.

Question set A-

  1. Can i install the renewed CA cert as-is (without having "Certificate Policies" attribute injected within it) ?
  2. While installing the renewed CA cert, will the CA look for CAPolicy.inf file ? Will the renewal fail if CAPolicy.inf file is not updated within C:\Windows directory ?
  3. Post installation, will it create any issue to end users ?

Question set B -

  1. Can I place the CApolicy.inf file in C:\windows directory and regenerate the CSR and sign it again ?
  2. I will be renewing certificate with same key. So will it bump the CA version number again ? (CA version of renewed cert is 3.0)

Please also guide me if any other issue that may encounter.

Thanks!
Abdul

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,296 questions
{count} votes

Accepted answer
  1. answered 2020-08-20T19:58:28.903+00:00
    Vadims Podāns 8,081 Reputation points Microsoft MVP

    Can i install the renewed CA cert as-is (without having "Certificate Policies" attribute injected within it) ?

    yes, you can install it. But certificate will not have certificate policies.

    While installing the renewed CA cert, will the CA look for CAPolicy.inf file ?

    no. CA looks for CAPolicy.inf only during renewal request generation.

    Will the renewal fail if CAPolicy.inf file is not updated within C:\Windows directory ?

    CAPolicy.inf file is not required. Though, it is often used on issuing CAs to define custom extensions for CA certificate, like certificate policies.

    Post installation, will it create any issue to end users ?

    Does any application is configured to look at policies? If not, then there will be no issues. And you must remove certificate policies extension from certificate templates if configured. If CA certificate doesn't have certificate policies extension, then it cannot add certificate policies extension in issued certificates.

    Can I place the CApolicy.inf file in C:\windows directory and regenerate the CSR and sign it again ?

    yes. However, you must complete current certificate renewal before you get a chance to generate new request.

    I will be renewing certificate with same key.

    no, this is absolutely a bad idea. CA certificates shall always generate new key pair.

    So will it bump the CA version number again ?

    yes.


2 additional answers

Sort by: Most helpful
  1. answered 2020-08-21T13:46:58.43+00:00
    Vadims Podāns 8,081 Reputation points Microsoft MVP

    I have the option to generate a new CSR before installing the renewed certificate.

    I know, but there is a known issue that if you miss CA certificate installation, CA may complain about incorrect CA Version extension value. So I would recommend to complete current renewal and start again.

    No comments

  2. answered 2020-10-19T17:03:30.853+00:00
    Abdul Khadar 21 Reputation points

    Hi,

    Sorry for late reply.
    Just wanted to share the news that I have managed to renew the CA certificate by skipping the current renewal.

    Testing performed –
    Built a new Test CA having CAPolicy.inf file in place. Able to see “Issuer statement” and “Certificate Policies” extension in CA certificate.
    • Removed the CAPolicy.inf file from C:\Windows directory. Regenerated the CSR and signed from Test Root CA. Observed below –
    o Issuer statement is greyed
    o Certificate policies extension is missing
    o CA version is V1.0

    • Next, copied the CAPolicy.inf file back to C:\Windows directory. Regenerated the CSR and signed from Test Root CA. Observed below –
    o Issuer statement is enabled
    o Certificate policies extension is added
    o CA version remained the same V1.0 (did not bump)
    Note – The latest certificate was installed on Issuing CA, skipping the previously generated CA cert. No issues observed during installation. Post installation I was able to publish CRL, Issue new certificate manually and also auto-enrolment is working fine.

    Thank you @Vadims Podāns for your support and guidance.

    Regards,
    Abdul

    No comments