Microsoft KB Archive/283789

= The Issuer Statement Specified in the Capolicy.inf File Is Not Included in the Issued Certificate =

Article ID: 283789

Article Last Modified on 10/31/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q283789



SYMPTOMS
The Issuer Statement button is unavailable in the View Certificate dialog box even though a policy statement had been specified in the Capolicy.inf file.



CAUSE
The Certificate Services Setup code constructs a Public-Key Cryptography Standard #10 (PKCS #10) request that contains an array of X.509 extensions that should be included in the issued certificate. If the policy statement is included in a properly formatted Capolicy.inf file located in %SystemRoot%, the policy statement information is included in the request sent to the server.

When the PKCS #10 request is submitted to the certification authority (CA), the CA's policy module must take action to put the policy statement information that is included with the request into the appropriate extension in the certificate.

By design, extensions included in requests are added to the certificate server database, but are not included in the certificate. Certificate Services relies upon its configuration information in the registry to determine exactly which extensions to transfer from a request to the certificate. To check the current settings, perform the following steps:  On the CA that will process requests that have policy statements, start the Cmd.exe program. Type the following command line, and then press ENTER:

certutil -v -getreg Policy\EnableRequestExtensionList

 The returned information should resemble the following:

 EnableRequestExtensionList REG_MULTI_SZ =

0: 2.5.29.37 -- Enhanced Key Usage 1: 2.5.29.15 -- Key Usage 2: 2.5.29.17 -- Subject Alternative Name 3: 1.3.6.1.4.1.311.21.1 -- CA Version 4: 2.5.29.32 -- Certificate Policies



If the Certificate Policies object identifier (OID) is missing, the policy module does not transfer the policy statement information from the PKCS #10 request to the issued certificate.



RESOLUTION
To resolve this behavior, follow these steps:  On the CA, start the Cmd.exe program. Type the following command line, and then press ENTER:

certutil -setreg Policy\EnableRequestExtensionList +&quot;2.5.29.32&quot;

</li>  The returned information should look similar to the following: <pre class="fixed_text">SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\TestCA\PolicyModules\ CertificateAuthority_MicrosoftDefault.Policy\EnableRequestExtensionList:

Old Value: EnableRequestExtensionList REG_MULTI_SZ = 0: 2.5.29.32 Certificate Policies 1: 1.2.840.113549.1.9.15 SMIME Capabilities 2: 1.3.6.1.4.1.311.21.1 CA Version 3: 1.3.6.1.4.1.311.21.2 Previous CA Certificate Hash New Value: EnableRequestExtensionList REG_MULTI_SZ = 0: 1.2.840.113549.1.9.15 SMIME Capabilities 1: 1.3.6.1.4.1.311.21.1 CA Version 2: 1.3.6.1.4.1.311.21.2 Previous CA Certificate Hash 3: 2.5.29.15 Key Usage 4: 2.5.29.32 Certificate Policies CertUtil: -setreg command completed successfully. You may have to restart the CertSvc service for the changes to take effect. </li> Stop and restart Certificate Services. No special settings are required when you include Certificate Policy information in a root CA certificate. When you install a root CA, all settings that are specified in the Capolicy.inf file are copied into the root CA certificate.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
You can also use the Certutil.exe program to verify that the policy statement information is actually included in the request. To observe this information, save the certificate request to a file, and then type the following line at a command prompt:

certutil .req

The returned information should look like the following: <pre class="fixed_text">   2.5.29.32: Flags = 0, Length = 1e1 Certificate Policies [1]Certificate Policy: PolicyIdentifier=1.3.6.1.4.1.311.21.43 [1,1]Policy Qualifier Info: Policy Qualifier Id=User Notice Qualifier: Notice Text=Legal policy statement text. [2]Certificate Policy: PolicyIdentifier=1.3.6.1.4.1.311.21.47 [2,1]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: http://http.site.com/some%20where/default.asp [2,2]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: ftp://ftp.site.com/some%20where%20else/default.asp [2,3]Policy Qualifier Info: Policy Qualifier Id=User Notice Qualifier: Notice Text=Limited use policy statement text. [2,4]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: ldap://ldap.site.com/some%20where%20else%20again/default.asp [3]Certificate Policy: PolicyIdentifier=1.3.6.1.4.1.311.21.53 [3,1]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: http://extra.site.com/Extra%20Policy/default.asp [4]Certificate Policy: PolicyIdentifier=1.3.6.1.4.1.311.21.55 Even though the details can vary, if the 2.5.29.32 section exists, the policy statement information is included in the certificate request. If this section is not included in the request, you must verify the format of the Capolicy.inf file.

Keywords: kbenv kbprb KB283789

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.