capolicy.inf - Uwe Gradenegger

Basics: Configuration file for the certification authority (capolicy.inf)

The capolicy.inf contains basic settings that can or should be specified before installing a certificate authority. In simple terms, it can be said that no certificate authority should be installed without it.

Umlauts in certification authority certificates

Internationalized Domain Names (IDNs) have been officially supported since Windows Server 2012 as part of the Certificate Authority and associated components.

However, if you want to use them in your certification authority certificates, there are some specifics to consider.

Certificate authority certificate request fails with error message "The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)".

Assume the following scenario:

A Certification Authority certificate is requested from a Certification Authority
The certificate request fails with the following error message:

The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)
Denied by Policy Module

Configure Path Length Constraint for Certificates Issued by a Certification Authority

For stronger control over the certificates that can be issued by a certification authority, a path length constraint can be set up so that certification authorities above a defined hierarchy level are no longer able to issue subordinate certification authority certificates

For an explanation of how the path length constraint works, see the article "Basics: Path Length Constraint"..

Create a backup of a certification authority

Professional operation of a Certification Authority also includes the regular creation of backups.

The following describes which components need to be backed up and the associated procedure.

Description of the necessary configuration settings for the "Common PKI" certificate profile

The following is a description of what configuration settings are necessary for a certificate hierarchy based on Active Directory Certificate Services to be compliant with the "Common PKI" standard.

Include the wildcard issuance policy (All Issuance Policies) in a certification authority certificate

If you install an issuing CA and do not explicitly request an issuance policy, the resulting CA certificate will not contain an issuance policy.

If you want to include the wildcard issuance policy (All Issuance Policies) in the certification authority certificate, you must proceed as follows:

Include the issuance policies for Trusted Platform (TPM) Key Attestation in a certification authority certificate.

If you install an issuing CA and do not explicitly request an issuance policy, the resulting CA certificate does not contain an issuance policy.

If you want to include the issuance policies for Trusted Platform (TPM) Key Attestation in the certification authority certificate, you must proceed as follows.

Basics: Restricting Extended Key Usage (EKU) in Certification Authority Certificates

A useful hardening measure for Certification Authorities is to restrict the Certification Authority certificates so that they are only used for the actually issued extended key usage (Extended Key Usage) becomes familiar.

In the event of a compromise of the certification authority, the damage is then (at least) limited to the defined extended key usages.

The Smart Card Logon Extended Key Usage, which is of interest for many attacks (in conjunction with the certification authority's membership in NTAuthCertificates) would then only be present in the certification authority certificate of the certification authority that actually issues such certificates.

Removing ADCS-specific extensions from certificates

When using Active Directory Certificates, it is noticeable that there are certain extensions in the certificates of the certification authorities and the certificates they issue that are not defined in the relevant RFCs and are specific to AD CS.