2008r2 CA, Custom Templates fail with Invalid Issuance Policies
I've built up a new pair of CAs - an offline stand-alone root running 2k8r2 core std, and a 2k8r2ent enterprise subordinate issuing CA following a bit of a mash-up of the 'AD-CS step-by-step guide' and How to Set Up a Certification Authority on a Server Core Installation with some random thoughts from the now rather old Securing Wireless LANs with Certificate Services the default certificate templates - 'authenticated session', 'User', 'computer' etc, enroll happily, but when i creatye a custom template - by copying the authenticated session, for example, allow it auto-enroll right, i recieve the error: Error Constructing or Publishing Certificate Invalid Issuance Policies: 1.3.6.1.4.1.311.21.8.6425358.7988157.5852292.8438929.11309333.160.1.400 the event logs give me an event-ID 53 including a simmilar error that adds The certificate has invalid policy. 0x800b0113 (-2146762477) i've dug through this: http://technet.microsoft.com/en-us/library/cc726352(WS.10).aspx but am finding it fairly useless... certutil -urlfetch -verify issueca.cer does give an error: The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614) Revocation check skipped -- no revocation information available is this the problem? surely if that were the issue no certs would enroll?
January 10th, 2011 7:27pm

Can this be your problem? http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/d6beffaf-9e97-42a1-aa06-008654b2b77f Martin
Free Windows Admin Tool Kit Click here and download it now
January 11th, 2011 2:52am

Thanks Martin for quoting my previous answer. Lots less typing <G> This is definitely the issue Brian
January 11th, 2011 4:42pm

Many thanks Martin and Brian, you are absolutely right - the affected policies are those where i've set low assurance, those that work have nothing set... back to the test lab ... (i'm starting to regret my decision to use server core wherever possible... its making this all the more fun!)
Free Windows Admin Tool Kit Click here and download it now
January 11th, 2011 6:35pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics