I've been working on implementing a PKI based on Win2k12 Core. It's a two tier with an offline root and an issuing CA in failover cluster setup. This works great as long as I don't add any issuance policies in my templates. As per http://kazmierczak.eu/itblog/2012/08/22/the-dos-and-donts-of-pki-microsoft-adcs/ as a guide I even got a PEN from IANA. I've tried several installations of the CAs with different CAPolicy.inf settings to try and convince ADCS to accept these custom OIDs.
Current Root CA CAPolicy.inf
[Version] Signature = "$Windows NT$" [AuthorityInformationAccess] Empty = true [CRLDistributionPoint] Empty = true [BasicConstraintsExtension] critical=true IsCA=true [certsrv_server] ProviderName="RSA#Microsoft Software Key Storage Provider" ; standard Microsoft CSP RenewalKeyLength=4096 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=8 CRLPeriod=Years CRLPeriodUnits=6 CRLOverlapUnits=1 CRLOverlapPeriod=months CRLDeltaPeriodUnits=0 CRLDeltaPeriod=days LoadDefaultTemplates=0
As you can see I haven't asserted any policies in there. But I've tried different variations, even included all the policies I've also asserted below in de issuing CA's capolicy.inf to no avail.
Issuing CA CAPolicy.inf
[Version] Signature = "$Windows NT$" [AuthorityInformationAccess] [CRLDistributionPoint] [BasicConstraintsExtension] Pathlength = 0 Critical = true [certsrv_server] RenewalKeyLength=4096 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=4 CRLPeriod=Days CRLPeriodUnits=7 CRLDeltaPeriod=Days CRLDeltaPeriodUnits=1 ClockSkewMinutes=20 LoadDefaultTemplates=False [PolicyStatementExtension] Policies=SecurityPolicy,CertificatePolicy,CertificatePracticeStatement [SecurityPolicy] OID=1.3.6.1.4.1.[PEN].509.1 URL=http://pki.xxxx.nl/pki/PKI-xxxx_SP.pdf [CertificateStatement] OID=1.3.6.1.4.1.[PEN].509.2 URL=http://pki.xxxx.nl/pki/PKI-xxxx_CS.pdf [CertificatePracticeStatement] OID=1.3.6.1.4.1.[PEN].509.10.10.1 URL=http://pki.xxxx.nl/pki/PKI-xxxx_CPS.pdf [NameConstraintsExtension] Include = NameConstraintsPermitted Exclude = NameConstraintsExcluded Critical = True [NameConstraintsPermitted] DNS = ".xxxx.nl" DNS = ".yyyy.nl" DNS = ".zzzz.nl" email= ".xxxx.nl" email= ".yyyy.nl" email = ".zzzz.nl" UPN= ".xxxx.nl" UPN= ".yyyy.nl" UPN = ".zzzz.nl" UPN= "@xxxx.nl" UPN= "@yyyy.nl" UPN = "@zzzz.nl" URL="http://.xxxx.nl" URL="http://.yyyy.nl" URL="http://.zzzz.nl" DIRECTORYNAME="DC=xxxx,dc=nl" DIRECTORYNAME="DC=yyyy,dc=nl" DIRECTORYNAME="DC=zzzz,dc=nl" [NameConstraintsExcluded]
The error message the CA spits out when I try to get myself a webserver certificate issued is:
Error Constructing or Publishing Certificate Invalid Issuance Policies: 1.3.6.1.4.1.[PEN].509.10.10.1
Whatever I try I can't get rid of it. I'm basically at the end of what I can think of to get this PKI thing to work short of not using an issuance policy in my templates at all or +CRLF_IGNORE_INVALID_POLICIES on the issuing CA. The only option I haven't
tried is installing CAs with the AllIssuancePolicy OID (2.5.29.32.0). But darnit, I shouldn't have to.
I know it's a lot to ask, but after a week of messing with this, reading and trying to understand everything I can find about it, I'm getting tired of it: Is there a simple to follow step-by-step howto available on how to get these friggen custom OIDs to work properly in a Microsoft ADCS? I can't seem to puzzle it together using technet, these forums or google. It seems to be a black art or somesuch.