Microsoft KB Archive/927169

= Custom extensions in the CAPolicy.inf file do not take effect after you renew the root CA certificate by using a new key =

Article ID: 927169

Article Last Modified on 11/10/2006

-

APPLIES TO

 Microsoft Windows Server 2003 Service Pack 1, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

 Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)  Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)</li> Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)</li> Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)</li></ul>

-

<div class="symptoms_section">

SYMPTOMS
Consider the following scenario. On a computer that is running Microsoft Windows Server 2003 R2 or Microsoft Windows Server 2003 with Service Pack 1 (SP1), you create a certification authority (CA). You then add custom extensions in the CAPolicy.inf file. Then, you renew the root CA certificate by using a new key. In this scenario, the custom extensions do not take effect.

For example, you use the CAPolicy.inf file to suppress the CRL distribution point extension. Then, you renew the CA certificate by using a new key. In this example, the root certificate still has the CDP extension.

<div class="resolution_section">

RESOLUTION
To resolve this problem, renew the CA certificate again. This time, use the same key for the new root CA certificate. To do this, run the following commands at the command prompt:

Certutil -renewCert ReuseKeys

Net stop CertSvc

Net start CertSvc

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbexpertiseinter kbtshoot kbprb KB927169

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.