Let me start by saying that PKI is not my forte, so sorry if I'm not describing something correctly. I have just migrated our existing 2003 PKI infrastructure (here when I got here) to 2008 R2 (offline root, 2 enterprise issuing ca servers) using the instructions provided in the Upgrade and Migration Guide. It went pretty smoothly, but I am having a few issues that I could use some advice on. First is that autoenrollment workstation certs are failing with this error: Active Directory Certificate Services denied request 8016 because The certificate has invalid policy. 0x800b0113 (-2146762477). The request was for CN=COMPUTER. Additional information: Error Constructing or Publishing Certificate Invalid Issuance Policies: 1.3.6.1.4.1.311.21.8.15058993.553211.7815581.8108397.4113659.103.1.400 I found the following post that I think will fix my issue: http://silkspun.com/2012/02/14/issuance-policies-with-a-ca-upgrade-to-windows-2008-r2-ad-cs-pki/ My CA certs do not have "All issuance policies" on them, and it's an article about an issue with upgraded PKI to 2008 R2, so I think this is what I need. I'm wanting to do option 1, as I really don't want to reissue CA certs if I don't have to. which involves running this command: certutil setreg CA\CRLFlags +CRLF_IGNORE_INVALID_POLICIES which sounds like it would fix my problem. My first question is, if for some reason this does not work, how to I undo that command, just change the plus to a minus? Or would it even be necessary? Secondly, after the migration, I've noticed that CRLs and deltas aren't being published to the secondary location. It looks like they're being published to AD just fine (Revoked Certificates Properties -> CRL publishing tab) but the other location is an http:// location. Looking at the old 2003 servers, it seems there is a scheduled task that calls a bunch of .wsf and .vbs scripts to publish the the http:// location. So second question is should I just copy over those scripts and recreate the scheduled task, or is there a new and improved method for this?

The article you are referencing is wrong and provided workaround is wrong. This flag allows you to disable policy verification only on CA server. If the certificate is presented to an application that strictly checks certificate policies an application may reject the certificate. Therefore, you must fix your CA and template polcies. > So second question is should I just copy over those scripts and recreate the scheduled task, or is there a new and improved method for this? I don't know how it works now. You can try to ask someone who deployed your PKI.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

So then I should use Method #2, then, correct? The guy who deployed the PKI here did it in 2006 and was a contractor, no idea where he can be found.

Also, Contoso Pharmaceuticals, nice :)

you can renew CA certificate with updated CAPolicy.inf file, however it is not necessary right now. At this point it enough to remove all issuance policies from certificate template Extensions tab.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Looks like low assurance is the only one, I'll try removing it after hours, thanks.

One more thing. I copied the scripts from the 2003 server and recreated the scheduled tasks for them, they are updating correctly now. Don't know if that's the recommended method, but it still works.

Hi Aubrey, Thanks for sharing with us. :) Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.