I've been working on implementing a PKI based on Win2k12 Core. It's a two tier with an offline root and an issuing CA in failover cluster setup. This works great as long as I don't add any issuance policies in my templates. As per http://kazmierczak.eu/itblog/2012/08/22/the-dos-and-donts-of-pki-microsoft-adcs/ as a guide I even got a PEN from IANA. I've tried several installations of the CAs with different CAPolicy.inf settings to try and convince ADCS to accept these custom OIDs.

Current Root CA CAPolicy.inf

[Version]
Signature = "$Windows NT$"

[AuthorityInformationAccess]
Empty = true

[CRLDistributionPoint]
Empty = true

[BasicConstraintsExtension]
critical=true
IsCA=true

[certsrv_server]
ProviderName="RSA#Microsoft Software Key Storage Provider" ; standard Microsoft CSP
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=8
CRLPeriod=Years
CRLPeriodUnits=6
CRLOverlapUnits=1
CRLOverlapPeriod=months
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days
LoadDefaultTemplates=0

As you can see I haven't asserted any policies in there. But I've tried different variations, even included all the policies I've also asserted below in de issuing CA's capolicy.inf to no avail.

Issuing CA CAPolicy.inf

[Version]
Signature = "$Windows NT$"

[AuthorityInformationAccess]

[CRLDistributionPoint]

[BasicConstraintsExtension]
Pathlength = 0
Critical = true

[certsrv_server]
RenewalKeyLength=4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=4

CRLPeriod=Days
CRLPeriodUnits=7
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=1
ClockSkewMinutes=20

LoadDefaultTemplates=False

[PolicyStatementExtension] 
Policies=SecurityPolicy,CertificatePolicy,CertificatePracticeStatement

[SecurityPolicy]
OID=1.3.6.1.4.1.[PEN].509.1
URL=http://pki.xxxx.nl/pki/PKI-xxxx_SP.pdf

[CertificateStatement] 
OID=1.3.6.1.4.1.[PEN].509.2
URL=http://pki.xxxx.nl/pki/PKI-xxxx_CS.pdf

[CertificatePracticeStatement] 
OID=1.3.6.1.4.1.[PEN].509.10.10.1
URL=http://pki.xxxx.nl/pki/PKI-xxxx_CPS.pdf

[NameConstraintsExtension]
Include = NameConstraintsPermitted
Exclude = NameConstraintsExcluded
Critical = True

[NameConstraintsPermitted]
DNS = ".xxxx.nl"
DNS = ".yyyy.nl"
DNS = ".zzzz.nl"
email= ".xxxx.nl"
email= ".yyyy.nl"
email = ".zzzz.nl"
UPN= ".xxxx.nl"
UPN= ".yyyy.nl"
UPN = ".zzzz.nl"
UPN= "@xxxx.nl"
UPN= "@yyyy.nl"
UPN = "@zzzz.nl"
URL="http://.xxxx.nl"
URL="http://.yyyy.nl"
URL="http://.zzzz.nl"
DIRECTORYNAME="DC=xxxx,dc=nl"
DIRECTORYNAME="DC=yyyy,dc=nl"
DIRECTORYNAME="DC=zzzz,dc=nl"

[NameConstraintsExcluded]

The error message the CA spits out when I try to get myself a webserver certificate issued is:

Error Constructing or Publishing Certificate Invalid Issuance Policies: 1.3.6.1.4.1.[PEN].509.10.10.1

Whatever I try I can't get rid of it. I'm basically at the end of what I can think of to get this PKI thing to work short of not using an issuance policy in my templates at all or +CRLF_IGNORE_INVALID_POLICIES on the issuing CA. The only option I haven't tried is installing CAs with the AllIssuancePolicy OID (2.5.29.32.0). But darnit, I shouldn't have to.

I know it's a lot to ask, but after a week of messing with this, reading and trying to understand everything I can find about it, I'm getting tired of it: Is there a simple to follow step-by-step howto available on how to get these friggen custom OIDs to work properly in a Microsoft ADCS? I can't seem to puzzle it together using technet, these forums or google. It seems to be a black art or somesuch.