If you install an issuing CA and do not explicitly request an issuance policy, the resulting CA certificate does not contain an issuance policy.
If you want to include the issuance policies for Trusted Platform (TPM) Key Attestation in the certification authority certificate, you must proceed as follows.
The following OIDs are used for the TPM Key Attestation.
| OID | Meaning |
|---|---|
| 1.3.6.1.4.1.311.21.32 | TPM Key Attestation: User Credentials: (Low Assurance) |
| 1.3.6.1.4.1.311.21.31 | TPM Key Attestation: Endorsement Certificate: (Medium Assurance) |
| 1.3.6.1.4.1.311.21.30 | TPM Key Attestation: Endorsement Key: (High Assurance) |
To include issuance policies in a certification authority certificate, it is necessary to submit a new certificate request and issue a new certification authority certificate. Since the existing certificate is signed, it cannot be changed.
In order for the issuance policy to be included in the Certificate Enrollment, the C:\Windows\capolicy.inf file must be edited before the application is submitted. The following paragraph must be included:
[PolicyStatementExtension]
Policies=TpmLowAssurancePolicy,TpmMediumAssurancePolicy,TpmHighAssurancePolicy
TPM Key Attestation: User Credentials (Low Assurance)
[TpmLowAssurancePolicy.]
OID=1.3.6.1.4.1.311.21.32
TPM Key Attestation: Endorsement Certificate (Medium Assurance)
[TpmMediumAssurancePolicy.]
OID=1.3.6.1.4.1.311.21.31
TPM Key Attestation: Endorsement Key (High Assurance)
[TpmHighAssurancePolicy.]
OID=1.3.6.1.4.1.311.21.30
A new certificate request can then be submitted.
After the certificate request is signed by the parent certification authority, the new certification authority certificate should include the issuance policies for Trusted Platform (TPM) Key Attestation.
English 
Deutsch
3 thoughts on “Die Ausstellungsrichtlinien (Issuance Policies) für Trusted Platform (TPM) Key Attestation in ein Zertifizierungsstellen-Zertifikat aufnehmen”
Comments are closed.