I have a simple 3-tier WS03 PKI (standalone Root, standalone Policy, Enterprise Issuing). I'm not real clear if the [PolicyStatementExtension] and [AllIssuancePolicy] sections should be present in the Root CA's CAPolicy.inf. I was given this by a consultant (partial snippet of applicable section): [AllIssuancePolicy] OID=2.5.29.32.0 URL=http://cps.mycompany.com/cps.htm Would this be correct or a better best practice to follow? Also, for the OID. We already have a publicly registered OID for Active Directory (for custom schema extensions). Can this same OID be used for PKI? if so, are there any guidelines on the numbering hierarchy? We follow a hierarchy for schema exensions based on the AD Developer Guidelines and was curious if there was something similiar. Thanks in advance!

Hi, All Issuance Policy is a predefined issuance in Windows. It’s fine to include AllIssuancePolicy part in CAPolicy.inf of Root CA. · All Issuance (2.5.29.32.0). The all issuance policy indicates that the issuance policy contains all other issuance policies. Typically, this object identifier is only assigned to CA certificates. http://technet.microsoft.com/en-us/library/cc736786(WS.10).aspx As for OID, we’d better not use the registered OID for AD. This OID is predefined. For other issuance policies, the OID will be generated automatically when you add a new Issuance Policy in UI. You can of course replace this with an custom OID (that you obtained) from an internet authority that manages OIDs.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks Joson, I created a Root CA w/o the [PolicyStatementExtension] and [AllIssuancePolicy] sections in the CAPolicy.inf and it looks like it added all anyway. If I open the certificate, on the General tab it says "All issuance policies" and "All application policies". If these two correlate, it looks like it defaults to it. Am I reading this correctly? In General, where would be the most common place to put it, if needed at all (Root, Policy or Issuing CA)? For now, we'll allow all policies, but may change it in the future. Is this easily changeable if we do decide to hone it down later? For the OID, it seems all the docs and books I've read, that if you plan to allow certs externally (we will be doing this), a publicly registered OID should be obtained. It also list ANSI as one of the places to get it and that is where we have ours for AD. So, I guess I'm still not clear why this OID could not be used and simply classify a new arc specifically for PKI purposes. Am I misunderstanding the purpose of the OID? Note: I'm not referring to changing the OID of predefined ones like the All Issuance Policy. I'm referring to OID's that need to be generated by the customer.

A custom arc will be required when you define custom certificate policies (aka issuance policies) for end-entity certificates. For example, you may define custom policy called "Smart Card Signing" and assign OID from your private arc. This allows you to restrict certain application to use only certificates that contains specified policy.http://en-us.sysadmins.lv

I assume your response implies I can use my AD OID to create a custom arc for PKI. Is that correct?

For internal certificates - yes, you can use automatically generated OIDs. But for external certificates I would advice to use your company registered OID arc.http://en-us.sysadmins.lv

In General, where would be the most common place to put it, if needed at all (Root, Policy or Issuing CA)? For now, we'll allow all policies, but may change it in the future. Is this easily changeable if we do decide to hone it down later? It depends on your CA hierarchy. If you have a single-tier hierarchy, the PolicyStatementExtension is placed at the root CA. If you have a two-tier hierarchy, it's placed the issuing CA (or each issuing CA if you have more than one). And in a three-tier hierarchy PolicyStatementExtentsion is defined on the Policy CA (or CAs) on the second tier. And if you need more than one CPSs you will also need to have different PolicyStatementExtensions on different servers.Best regards, Bjorn Moritz