Microsoft KB Archive/927169

From BetaArchive Wiki
Knowledge Base


Custom extensions in the CAPolicy.inf file do not take effect after you renew the root CA certificate by using a new key

Article ID: 927169

Article Last Modified on 11/10/2006



APPLIES TO

  • Microsoft Windows Server 2003 Service Pack 1, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)



SYMPTOMS

Consider the following scenario. On a computer that is running Microsoft Windows Server 2003 R2 or Microsoft Windows Server 2003 with Service Pack 1 (SP1), you create a certification authority (CA). You then add custom extensions in the CAPolicy.inf file. Then, you renew the root CA certificate by using a new key. In this scenario, the custom extensions do not take effect.

For example, you use the CAPolicy.inf file to suppress the CRL distribution point extension. Then, you renew the CA certificate by using a new key. In this example, the root certificate still has the CDP extension.

RESOLUTION

To resolve this problem, renew the CA certificate again. This time, use the same key for the new root CA certificate. To do this, run the following commands at the command prompt:

Certutil -renewCert ReuseKeys
Net stop CertSvc
Net start CertSvc


STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Keywords: kbexpertiseinter kbtshoot kbprb KB927169