2008r2 CA, Custom Templates fail with Invalid Issuance Policies
I've built up a new pair of CAs - an offline stand-alone root running 2k8r2 core std, and a 2k8r2ent enterprise subordinate issuing CA following a bit of a mash-up of the
'AD-CS step-by-step guide' and
How to Set Up a Certification Authority on a Server Core Installation with some random thoughts from the now rather old
Securing Wireless LANs with Certificate Services
the default certificate templates - 'authenticated session', 'User', 'computer' etc, enroll happily, but when i creatye a custom template - by copying the authenticated session, for example, allow it auto-enroll right, i recieve the error:
Error Constructing or Publishing Certificate Invalid Issuance Policies: 1.3.6.1.4.1.311.21.8.6425358.7988157.5852292.8438929.11309333.160.1.400
the event logs give me an event-ID 53 including a simmilar error that adds
The certificate has invalid policy. 0x800b0113 (-2146762477)
i've dug through this:
http://technet.microsoft.com/en-us/library/cc726352(WS.10).aspx
but am finding it fairly useless...
certutil -urlfetch -verify issueca.cer
does give an error:
The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614)
Revocation check skipped -- no revocation information available
is this the problem? surely if that were the issue no certs would enroll?
January 10th, 2011 7:27pm
Can this be your problem? http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/d6beffaf-9e97-42a1-aa06-008654b2b77f
Martin
Free Windows Admin Tool Kit Click here and download it now
January 11th, 2011 2:52am
Thanks Martin for quoting my previous answer.
Lots less typing <G>
This is definitely the issue
Brian
January 11th, 2011 4:42pm
Many thanks Martin and Brian, you are absolutely right - the affected policies are those where i've set low assurance, those that work have nothing set...
back to the test lab ... (i'm starting to regret my decision to use server core wherever possible... its making this all the more fun!)
Free Windows Admin Tool Kit Click here and download it now
January 11th, 2011 6:35pm