Cross-certificate between two root Microsoft CA's
Hi all, I have win2008 R2 root CA and a win2003 enterprise rootCA. How can I cross-certify the two root CA's?I have read MS article 290760 but that is for EntrustCA, and certain certutil options are not available as listed.When I use base64 to submit request, I get "Denied by Policy Module0x80094802: The request specifies Conflicting certificate Templates: <Template Name>". Whatever template name selected.Any help will help.
December 16th, 2009 1:50am

Look at the cross-certification whitepaper.technet.microsoft.com/en-us/library/cc787237(WS.10).aspx From the looks of your error, you are missing several key steps and have not provided enough information to troubleshoote.- What does your inf file look like- did you run certreq correctly to generate the crossCA request- Did you create a QS Signing certificate templateBrian
Free Windows Admin Tool Kit Click here and download it now
December 16th, 2009 1:53am

I agree with Brian. Also, can you show your policy.inf file? Have you added this section in INF file: [RequestAttributes] CertificateTemplate = CrossCA? http://www.sysadmins.lv
December 16th, 2009 12:44pm

Thanks all for shedding some light on this. I have gone through the steps to create Qualified Subord cert.Followed the white-paper steps to creating the cross certifcate, and ended at the similar error posted online:"Denied by Policy Module. Certificate Authority's certificate contains invalid data. 0x80094005". I saw one person said the PathLength=0 was his typo. My CAPolicy.inf contains PathLength=0, so I changed it to 1. Still Denied as above.Here is my CAPolicy.inf:================================[Version]Signature= "$Windows NT$" [certsrv_server]CRLPeriod = weeksCRLPeriodUnits = 26 [PolicyStatementExtension]Policies = HighAssurancePolicy, MediumAssurancePolicy, LowAssurancePolicyCRITICAL = FALSE [HighAssurancePolicy]OID = 1.3.6.1.4.1.311.21.8.2473717464.1095930238.502626717.506190032.1.402 [MediumAssurancePolicy]OID = 1.3.6.1.4.1.311.21.8.2473717464.1095930238.502626717.506190032.1.401 [LowAssurancePolicy]OID = 1.3.6.1.4.1.311.21.8.2473717464.1095930238.502626717.506190032.1.400 [PolicyConstraintsExtension]RequireExplicitPolicy = 0InhibitPolicyMapping = 0 [BasicConstraintsExtension]PathLength = 1====================What more should I look into?Julius
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2010 9:23pm

I noticed my INF need certtemplate, so I submitted the req via web and bypassed that error to arrive at the next error "Denied ...invalid data".
January 12th, 2010 9:26pm

You should get your own OID arc.You are using Microsoft OIDs. I have found when doing this, it often breaks. (they may be too long)Brian
Free Windows Admin Tool Kit Click here and download it now
January 13th, 2010 4:03am

adding to Brian post:http://pen.iana.org/pen/PenApplication.page - here you can request your own OID.http://www.sysadmins.lv
January 13th, 2010 9:54am

Actually, the CAPolicy.inf I used is below, after I modified the sample Microsoft Policy.inf I quoted abovewith the AssurancePolicy OID from the machine. This is a lab machine:[Version]Signature= "$Windows NT$" [certsrv_server]CRLPeriod = weeksCRLPeriodUnits = 26 [PolicyStatementExtension]Policies = HighAssurancePolicy, MediumAssurancePolicy, LowAssurancePolicyCRITICAL = FALSE [HighAssurancePolicy]OID = 1.3.6.1.4.1.311.21.8.14586716.14314734.10045844.12978937.5620426.33.1.402 [MediumAssurancePolicy]OID = 1.3.6.1.4.1.311.21.8.14586716.14314734.10045844.12978937.5620426.33.1.401 [LowAssurancePolicy]OID = 1.3.6.1.4.1.311.21.8.14586716.14314734.10045844.12978937.5620426.33.1.400[PolicyConstraintsExtension]RequireExplicitPolicy = 0InhibitPolicyMapping = 0 [BasicConstraintsExtension]PathLength = 1 [RequestAttributes]CertificateTemplate = CrossCA
Free Windows Admin Tool Kit Click here and download it now
January 13th, 2010 7:12pm

I have created the cross-Certs successfully on my CAs. However when trying to sign email with the user cert fromeither domain the cross certificate was flagged with "certificate has Invalid Policy". Are these added policy statement extensions the problem, and why are these (Assurance policies) required?Thanks for your input.
January 15th, 2010 2:25am

You have shown us a CAPolicy.inf.To do cross certification, you need a properly configured policy.infYou have not shown us anything about this configuration fileIn here, you would define:- Certificate policy OID mapping- Allowed Application policies,- Name constraintsYour basic constraints pathlength will be an issue in your capolicy.inf if the partner org has anything other than an Enterprise Root CA.Brian
Free Windows Admin Tool Kit Click here and download it now
January 15th, 2010 5:00am

Brian, reading through the whitepaper, I couldnot differentiate that there must be policy.inf separate from the CAPolicy.inf.Where should Policy.inf be placed? Also is there a sample I can view?Thanks for your help.
January 15th, 2010 7:10pm

> Where should Policy.inf be placed?anywhere. When you run certreq.exe you will set switch -policy and path to policy.inf file. Therefore there is no restrictions for file naming and placing. You may run this command:certreq -policyand you will be able to select policy.inf file (in second step. In first step you will need to select CA certificate).Looking to Brian's link, you can find Appendix:http://technet.microsoft.com/en-us/library/cc738878(WS.10).aspxhere is policy.inf example.http://www.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
January 15th, 2010 7:22pm

You know, in the second step I have been selecting the capolicy.inf. I will try again with another policy.inf and see what happens.
January 15th, 2010 7:34pm

Is there a command to display the current CAPolicy as an .inf file?
Free Windows Admin Tool Kit Click here and download it now
January 15th, 2010 7:38pm

for cross-certification you don't need to use CAPolicy.infPolicy.Inf is similar but not the same. I have example o this file (not the best, but as is):[Version]Signature = $WindowsNT$ [NameConstraintsExtension]Include = NameConstraintsPermittedExclude = NameConstraintsExcludedcritical = true [NameConstraintsPermitted]DirectoryName = "DC=adatum, DC=COM"Email = @adatum.comEmail = .adatum.comURL = .adatum.comUPN = .adatum.comUPN = @adatum.com [NameConstraintsExcluded]DirectoryName = "DC=contoso, DC=com"Email = @contoso.comEmail = .contoso.comURL = .contoso.comUPN = .contoso.comUPN = @contoso.com [BasicConstraintsExtension]pathlength = 1critical = true [ApplicationPolicyStatementExtension]Policies = CodeSigningcritical = false [CodeSigning]OID = 1.3.6.1.5.5.7.3.3 [RequestAttributes]CertificateTemplate = CrossCAin this case domain contoso.com trust certificates from adatum.com domain with code signing purpose. I haven't implemented certificate policy mappings, so you can use this file as example and for more information use whitepaper.http://www.sysadmins.lv
January 15th, 2010 7:47pm

Thanks. I got it working.
Free Windows Admin Tool Kit Click here and download it now
January 19th, 2010 9:24pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics